Description
A presentation showing how it is possible for incorrect optimizations in the JIT (Just-In-Time) engine to lead to out of bound read and write.
I was given the honor of presenting a small talk for NUS Security Wednesday. The main goal was to do a small case study on CVE-2021-30599, a bug reported by @manfp in Google Chrome V8 JavaScript Engine. The bug report was really well written and so unlike my previous analysis, I aimed to “reverse engineer” the author’s thought process during the exploit development.
The reason is, the bug found was seemingly harmless but @manfp managed to transform that to a type-confusion bug, leading to Out Of Bounds access, and he chained that with a typer hardening bypass in Chrome V8 to eventually lead to RCE in the renderer’s process. In the quest to find out how that happen, I studied how he did that with the help of Turbolizer ( a visualization tool that shows the optimization process and dependencies within the JIT engine ).
You can download the pptx slides from github