Breaking the Chrome Sandbox with Mojo

The presentation discusses the process of finding and exploiting a bug in a specific protocol, highlighting the importance of target-specific knowledge for both defense and offense in cybersecurity.

• Understanding the protocol allowed the presenter to find bugs that couldn't be found with a fuzzer
• Target-specific primitives can be useful for exploitation
• Taking a break and watching the movie 'Hackers' inspired the presenter to find a solution to a difficult problem

The presenter watched the movie 'Hackers' and was inspired by the plot to find a solution to a difficult problem in their work.

If you manage to exploit a Chrome renderer vulnerability, you find yourself in a tight sandbox. Access to OS resources like the file system are greatly restricted and site isolation still enforces the web security guarantees. To allow such strong restrictions, various IPC services provide required functionality to the renderer process which themselves can become a target for sandbox escapes.In this talk, we will take a look at Mojo, the IPC framework in Chrome. I will explain the protocol's inner workings using three logic bugs as examples. Finally, we're going to write a reliable exploit for a seemingly impossible race condition.