V8 Exploitation Series - Part 1
Welcome
Quick Disclaimer: We do not have definitive knowledge/are not experts of all things V8. Sometimes we will make assumptions about the code, attempting to rely on the existing V8 documentation or articles by members of their team. Also, this knowledge should be used to enhance the security of V8. Please report any vulnerabilities through Google’s responsible disclosure program.
Welcome to the inaugural post for this series on vulnerability research for Google’s V8! We (Pranay Garg and John Johnson) are excited to take a deep dive into everything that you need to get started in this space. We’ll each be publishing half of the posts, so make sure to check out both of our blogs!
Motivation
Our goal is to give more people the opportunity to look into vulnerability research within Chromium’s JavaScript engine. Many times, learning a new skill comes with feelings like “I don’t know what I don’t know.” There has been plenty of research in this space previously (see the massive list of references at the end), and it can be difficult to know which to read (and worse, what’s outdated!). Our first posts will attempt to document what is already available and give a very high-level summary of the current state of V8 bug hunting and exploitation. Apologies in advance for a lot of “go read this,” but we don’t want to rephrase some of the great articles already out there. Our future posts will introduce more original material as we talk about vulnerabilities and their patches. We will also cover how to stay up to date with changes to the code base for when our information becomes outdated. We highly recommend skimming the links we provide throughout the series, and coming back to this page whenever you need more details on a certain topic.
We believe that there is still a lot of research to be done in this area (and Google does, too). While the V8/Chromium teams have put countless security measures in place, exploitable bugs are still found on a regular basis. We hope to explain the processes for vulnerability discovery and exploitation, as well as the code base, in a way that will allow more people to begin bug hunting and memory safety research.
If you are completely new to V8, see this quick except from the README:
V8 is Google’s open source JavaScript engine. V8 implements ECMAScript as specified in ECMA-262. V8 is written in C++ and is used in Google Chrome, the open source browser from Google. V8 can run standalone, or can be embedded into any C++ application. V8 Project page: https://v8.dev/docs
Previous Work
Our goal in this study will be to create as complete a guide as possible to understanding the current state of V8 exploitation, and also its future! However, it would be entirely impossible without the work that has already been accomplished that gave us our own starting point. Here are several references that we used for understanding. There are probably more that we could have listed, but these were the most influential. Many of the topics covered in these articles will be covered in future posts, so there’s no need to fully understand everything on this list. However, this will be a great place to come back to if future posts don’t provide enough information. There’s a list similar to this one on the zon8 blog where you can find even more links.
Getting Started
Introduction to Turbofan by Jeremy Fetiveau
Attacking Turbofan by Jeremy Fetiveau
A guided tour through Chrome’s javascript compiler by Stephen Röttger
Intro to Chrome’s V8 from an exploit development angle by Javier Jimenez
A Deep Dive Into V8 by Diogo Souza
An Introduction to Speculative Optimization in V8 by Benedikt Meurer
Node.js V8 internals: an illustrative primer by Vardan Grigoryan
Development Perspective
An overview of the TurboFan compiler
JavaScript Engine Internals by Mathias Bynens
JavaScript Engine Fundamentals by Mathias Bynens
Source to Binary Jounrney of V8 javascript engine by Sakura
A tour of V8: object representation by Jay Conrod
Understanding V8’s Bytecode by Franziska Hinkelmann
Exploring Code
Memory structure
Visualizing memory management in V8 Engine by Deepu K Sasidharan
Memory management, JS vs. C++ and understanding V8 by Jasmine Zangi
Writing V8 C++ plugins
Understanding How the Chrome V8 Engine Translates JavaScript into Machine Code by Mayank Tripathi
Embedding V8 in a C++ application by David Erceg
C++: Embedding the V8 JavaScript Engine by Dustin Oprea
Exploitation
Chrome V8 tutorials by vngkv123
Modern Attacks on the Chrome Browser by Jeremy Fetiveau
Specific Bugs
Circumventing Chrome’s hardening of typer bugs by Jeremy Fetiveau
A Window of Opportunity by Exodus Intelligence
Patch Gapping Chrome by Exodus Intelligence
A Eulogy for Patch-Gapping Chrome by István Kurucsai and Vignesh S Rao
The hunt for Chromium issue 1072171 by Javier Jimenez
Chrome V8 - -CVE-2019-5782 Tianfu Cup Qihoo 360 S0rrymybad by aSiagaming
SIMPLE BUGS WITH COMPLEX EXPLOITS by Syed Faraz Abrar
CTF Problem Write-ups
Exploiting v8: *CTF 2019 oob-v8 by Syed Faraz Abrar
Exploiting TurboFan Through Bounds Check Elimination by Hanqing Zhao
Exploiting Chrome V8: Krautflare (35C3 CTF 2018) by Jay Bosamiya
Exploiting the Math.expm1 typing bug in V8 by 0x41414141 in ?? ()
General JIT Compiler Exploitation
Attacking JavaScript Engines by Saelo
Exploiting Logic Bugs in JavaScript JIT Engine by Saelo