Byoungyoung Lee

We are going BlackHat! https://www.blackhat.com/us-14/briefings.html#abusing-performance-optimization-weaknesses-to-bypass-aslr … #BHUSA

I guess ppl didn't get this http://trac.webkit.org/changeset/155563 … Remember FF hash table leaks?Safari (experimental feature) also had similar vulnerability

Can we find the crypto backdoor in a reasonable time? Guess we must be able to do it in the polynomial time? based on http://www.iacr.org/archive/crypto2001/21390001.pdf …

Things we did @blue9057 - Partial Information Leakage in Hash Table implementations : http://trac.webkit.org/changeset/155563 …

Yeah. Pretty awkward naming, isn't it? @chrisbisnett

Wow... was it acronym? I thought they just want to mean it's wtf complicated @NTarakanov

When my fuzzer hit uaf on Webkit's WTF, I said WTF? Always wondering what this "WTF" means.

Have you checked this out?:) http://old.nabble.com/RenderArena%3A-Teaching-an-old-dog-new-tricks-td34677159.html … @securitea @scarybeasts

We got confirmed 2 use-after-free and 1 heap-overflow in chrome after having three weeks of less-eat,less-sleep, and more-coding :)

Seems this is the attempt in blink: https://chromium.googlesource.com/chromium/blink/+/master/Source/wtf/PartitionAlloc.h … Take a look at the security properties.

This was a discussion over how to better mitigate use-after-free on webkit/chrome. Using slab allocator is one suggestion, but controvertial

Chris Neklar and Chris Evans didn't realize or understand the problems listed above, and didn't tackle them. From http://old.nabble.com/RenderArena%3A-Teaching-an-old-dog-new-tricks-td34677159.html ….

Old day fuzzing was all about finding exploitable one out of tons of crashes. Today, it's about finding reproducible ones out of a few uaf?

Well. The first use-after-free chrome bug from my DOM/JS fuzzer turned out to be duplicate bugs. Lesson? Still fuzzing works on chrome :)