3. DOM engine
7
The old-school target
o Less popular
§ Exploit mitigations (e.g., isolated heaps)
§ Heavily tested
o Still a not-so-bad direction
§ Some DOM(-related) objects are not protected
§ Pwn2own 2018 Safari (mwrlabs)
§ DOM misuses JavaScript objects
§ Pwn2own 2018 Edge (fluorescence)
4. Domato – Google Project Zero [2017]
8
A generation-based approach
Fuzzer
Static grammar HTML
Browser
https://github.com/googleprojectzero/domato
5. Reproducibility
Generated HTML files can always be re-tested.
Quality?
Efficiency
Asynchronized testcase generation and testing.
9
# Valid API calls (no exception)
# Total API calls
6. “
Most of the DOM API calls operate
undefined in an output of Domato.
10
7. DOM fuzz revisited
11
XML
CSS
JavaScript
how to
manipulate
what to
manipulate
State
(DOM objects)
Runtime
(operations)
Static grammar based fuzzers fail to
describe this inter-dependence
8. Example 1
12
var v0 = gl.createBuffer();
gl.deleteBuffer(v0);
gl.bindBuffer(gl.ARRAY_BUFFER, v0);
9. Example 2
13
var v0 = gl.createBuffer();
gl.bufferData(gl.ARRAY_BUFFER,
0x400, gl.STATIC_DRAW);
gl.bindBuffer(gl.ARRAY_BUFFER, v0);
11. Maintain the context while generation
o What the states of the DOM objects
should be at runtime?
Emulation-based generation
15
WebGL
buffer
bound?
stale?
12. Generate DOM API calls based on
not only grammar but also context
Emulation-based generation
16
WebGL
buffer
bound? stale?
Do not usegl.bufferData(
gl.ARRAY_BUFFER,
0x400,
gl.STATIC_DRAW);
13. Update the context after each generation
o What is the (potential) side effect of the
API (if it succeeds at runtime)?
Emulation-based generation
17
WebGL
buffer
(v0)
isBound
isStalegl.deleteBuffer(v0);
gl.bindBuffer(
gl.ARRAY_BUFFER, v0);
18. Generate a (mostly) valid SVG XML
o No parsing error when being loaded
Building random XMLs
element ID valueattribute reference
callback
tag
22
CSS style
19. Recursive generation based on specification
Building random XMLs
23
<tag1 attr1=value1 attr2=value2>
<tag2 attr1=value1 attr2=value2>
</tag2>
</tag1>
Randomly selected
son tags Random
attribute values
Randomly selected attributes
20. Heuristics
o Different tags/attributes have different
weights to be randomly selected
o Appear more often in the past bugs
o Suspected to be more vulnerable
through documentation study/source
review
o e.g., <animate>
Building random XMLs
24
21. Specification + context based generation
The context information to be maintained:
o SVG element status
o live?
o in XML (rendered)?
o Element tree
o Parent element
o Children elements
The firstly generated XML determines
the starting context
Building random API calls
25
22. For a live SVG element,
o Invoke a method
Building random API calls
26
fuzzer
output
23. For a live SVG element,
o Access or update a property
Building random API calls
27
fuzzer
output
o New elements may be created
25. Heuristics
o Similarly, bias on suspicious APIs
o e.g., time/animation-control APIs
o (un)pauseAnimations
o setCurrentTime
o setTimeout
Building random API calls
29
27. WebGL
31
A DOM API based on OpenGL ES 2.0
o Create 3D graphics in a web browser with:
(1) OpenGL shading language GLSL
§ C-alike programs
(2) Standard OpenGL APIs described in
JavaScript
o Browser support
o WebGL 2.0: Chrome, Firefox
o WebGL: Safari, Edge
28. WebGL attack surface
32
Underlying OpenGL library bugs
o Touchable through DOM APIs
o One stone several birds
o Pwn2own 2016 Chrome exploit by lokihardt
https://www.zerodayinitiative.com/advisories/ZDI-16-224/
Chrome Firefox
libANGLE
Renderer
29. WebGL attack surface
33
Graphics proxy (OpenGL API bindings) bugs,
depending on browser implementation
o Library API misuses
o Pwn2own 2015 Chrome exploit by lokihardt
https://bugs.chromium.org/p/chromium/issues/detail?id=468936
Graphics OpenGL
Renderer
34. Shaders
38
C-alike programs
o Limited number of variables
o Strong typing
o Limited types
o if/for/while statements
o break/continue
o Vector/Matrix indexing
o Static length
o Bound checks
o Vector/Matrix arithmetic operations
fuzzer
35. Shaders
39
Variable qualifiers for particular usages
o Attributes
o Uniforms
o Textures
o Varyings
Internal variables (e.g., gl_Position)
Check specification for more details
o WebGL Programming Guide
37. Building random shaders
41
o Assignment patterns only
§ (qualifier) <type specifier> <identifier>
(= expression)
§ <LVal> (= expression)
o Type-based assignment generation
§ Randomly generate LHS with type t
§ Generate RHS expression given type t
o Bias on selecting internal variables
39. Building random API calls
43
Context for generating API calls includes:
o Qualified variables in the shaders
§ uniforms/attributes/varyings
o WebGL object status (live?)
§ WebGL(Buffer/Framebuffer/Renderbuffer)
§ isBound?
§ WebGLQuery
§ WebGLSampler
§ WebGLVertexArrayObject
etc.
We omit generation details here
46. WebKit Bug 195068
50
o Invalid truncation to 32bit unit
o Allocation size is much smaller than the
stored size value
47. WebKit Bug 195068
51
[*]
[*]: m_byteLength = 0xf00000000 >> 0x41414141
o Write arbitrary values at arbitrary offsets à RCE
o Triggerable on Linux only
§ The OpenGL library on mac does not support a
WebGL buffer of more than 4G