I'm very excited to share my blogpost series (including PoC code) about a remote, interactionless iPhone exploit over iMessage: googleprojectzero.blogspot.com/2020/01/remote
Pinned Tweet
Show this thread
Follow
Samuel Groß
@5aelo
V8 Security technical lead. Previously Project Zero. Personal account. Also @saelo@chaos.social
Samuel Groß’s Tweets
These #Phrack articles by are the best primers on attacking #JavaScript engines
A case study of JavaScriptCore and CVE-2016-4622
phrack.org/issues/70/3.ht
#Exploiting Logic #Bugs in JavaScript JIT Engines
phrack.org/issues/70/9.ht
1
24
83
Fuzzilli (github.com/googleprojectz), the great coverage-guided fuzzer for dynamic language interpreters based on a custom intermediate language built by , is finally documented in a paper. You can find the paper at ndss-symposium.org/ndss-paper/fuz
Quote Tweet
Fascinating discussion ongoing in Fuzzing session at #NDSS23: FUZZILLI: Fuzzing for JavaScript JIT Compiler Vulnerabilities.
25
80
With github.com/googleprojectz Fuzzilli now finally has a (supported) JavaScript-to-FuzzIL compiler, making it possible to import and mutate existing JavaScript code. It's not feature complete (contributions welcome!) but should support the most important things. Happy Fuzzing!
32
124
We just released Fuzzilli v0.9.3: github.com/googleprojectz
... and more cool stuff is coming soon :)
Happy Fuzzing!
36
164
Here are some slides about the V8 Sandboxing project that I prepared for an internal talk but figured I could also share more widely:
65
222
Some fun bugs found by Fuzzilli's new ProbingMutator (github.com/googleprojectz):
- bugs.chromium.org/p/chromium/iss
- bugzilla.mozilla.org/show_bug.cgi?i
While these particular bugs don't have security impact, it's nice to see that Fuzzilli can now find these 2016-era JS engine bugs fairly easily.
17
75
I’m really excited for us to shed light on some really cool work we’ve been doing to harden the XNU allocator! This has been a huge effort by so many people, and I’m very proud of the direction:
9
120
422
4
36
171
A new "ExplorationMutator" for Fuzzilli: github.com/googleprojectz
This mutator allows better selection of "useful" actions to perform on existing values and objects in the mutated program.
Happy fuzzing!
28
106
New V8 Sandbox design document on how to sandboxify pointers to objects outside the sandbox such as DOM nodes ("external pointers"):
55
168
Excited to publish my writeup of a novel iOS in-the-wild exploit: The curious case of the fake Carrier .app: googleprojectzero.blogspot.com/2022/06/curiou
17
289
807
Show this thread
Here's the link to the public high-level overview document for the sandbox:
14
98
Show this thread
Unfortunately my BlackHat US submission about the V8 sandbox was rejected, but we should still have some cool announcements to share about how we're making V8 harder to exploit soon. In any case I'll be around at the conference! :)
6
7
186
Show this thread
Feel like corrupting some memory in V8? Now there's an API for that! chromium.googlesource.com/v8/v8/+/4a12cb
6
56
291
The recording of 's and my talk "Attacking JavaScript Engines in 2022" is now on YouTube:
5
88
320
Show this thread
The video of my talk about MTE is now published! Technical overview of the extension, applications, security properties, and practical examples. Check it out :)
2
31
99
Today we're publishing a follow-up post looking at the sandbox escape used by FORCEDENTRY: googleprojectzero.blogspot.com/2022/03/forced
16
257
650
The recording of our "A Brief History of iMessage Exploitation" talk can now be found here: youtu.be/lIlg1MpEL8o Thanks for the great conference!
3
64
233
Show this thread
I'm excited (and also a little sad) to announce that after 3 fantastic years with Project Zero, it's time for me to try something new. So starting this month, I'll be building up and leading a new V8 security team at Google!
37
39
988
Show this thread
Slides from our ( and myself) talk „A Brief History of iMessage Exploitation“ talk . Recording coming soon as well! saelo.github.io/presentations/
1
110
290
Awesome to see the (upcoming) V8 Sandbox already showing up in CTFs! Really enjoying those writeups by @r3tr0sp3ct2019 (twitter.com/r3tr0sp3ct2019) and (twitter.com/ky1ebot/status)
19
109
Here are the slides from the "Attacking JavaScript Engines in 2022" talk by and myself . It's a high-level talk about JS, JIT, various bug classes, and typical exploitation flows but with lots of references for further digging! saelo.github.io/presentations/
6
282
763
Today I'm releasing my JavaScript/v8 Fuzzer JS Raider. I developed the fuzzer for my master thesis and later improved the code for the "Fuzzilli Research Grant Program". You can find the source code, results and my key learnings in my blog post at: apt29a.blogspot.com/2022/01/fuzzin
5
159
398
Wie funktionierte der leider ziemlich phänomenale iPhone-Zero-Click-Exploit von NSO? Ich wollte die Analyse von Googles Project Zero unbedingt verstehen und habe sie nun für mich und euch „übersetzt“. Mit freundlicher Unterstützung von . spiegel.de/netzwelt/gadge (€)
2
7
25
I usually let the team's work speak for itself, but I wanted to make sure a few larger points aren't lost in this work.
Firstly, the takeaway here isn't "NSO exceptionalism". It's just that NSO was caught this time and we get a peek at how they are attacking iOS/iMessage.
5
67
153
Show this thread
Today we're publishing a detailed technical writeup of FORCEDENTRY, the zero-click iMessage exploit linked by Citizen Lab to the exploitation of journalists,
activists and dissidents around the world. googleprojectzero.blogspot.com/2021/12/a-deep
71
2,199
4,751
Show this thread
31
160
All of this will likely take a couple of iterations (reserving lots of virtual memory can be surprisingly complex...), and we'll need to add support for Android as well (or rather, Linux on ARM64). But it's an important first step for the V8 sandbox. EOF
19
Show this thread
If all goes well and we are confident that the cage works everywhere, we'll enable CagedPointers. Objects in the cage then reference each other through offsets instead of pointers, stopping exploits from (ab)using them for arbitrary memory read/write (i.e. a v8 sandbox escape).
4
17
Show this thread
When the cage is enabled, V8 tries to reserve 1TB of virtual address space and will place its heaps, ArrayBuffers, and WASM memory in there. To allow for a smooth rollout, we can still fall back to allocating these objects outside the cage (or not creating a cage at all) though.
1
1
10
Show this thread
First, for details about the cage see docs.google.com/document/d/17I, for a high-level overview of the V8 sandboxing project see docs.google.com/document/d/1FM (it still lacks a proper name though :))
1
7
31
Show this thread
This week we are starting an experiment that enables V8's Virtual Memory Cage in Chrome on Desktop (currently only on Dev + Canary channels, then Beta and finally Stable). Here is how that'll work:
3
71
263
Show this thread
New Project Zero blog post: Fuzzing Closed-Source JavaScript Engines with Coverage Feedback, googleprojectzero.blogspot.com/2021/09/fuzzin
4
201
449