WebKit-Study
OKay…some tips in studying WebKit
- Be patient, many researchers find their first bug over one year
- Study smartly, understand root cause, then try to find bug blindly, and finally find real world bugs
- to finding bus, try to minimize the scope(new component, history issues, or old bugs bypass)
How does ret2system arrage their learning?
Day 1 - Browser Architecture
- Breaking down modern browser architectures, major components
- Setting up a browser research environment, building, debugging
- Interfacing with different components of the browser (DOM, JS)
- Introduction to JavaScript
- JavaScript + DOM interaction, past issues
Day 2 - JavaScript Internals in Exploitation
- A deep dive into JavaScript engine internals
- Low-level JavaScript types and natives
- Garbage collection implementations
- Current vulnerability pattern found in JS engines
- Introduction to exploit building blocks (Primitives)
Day 3 - JavaScript JIT Compilers
- Overview of JIT compiler pipelines
- JIT debugging and tools
- Optimizations and typing
- Type cache and speculation
- JIT vulnerability classes, contemporary exploits
- Web Assembly
Day 4 - Exploit Engineering
- Layering exploit primitives
- Locating interesting structures
- Overwriting JIT structures
- Control flow hijacking
- Continuation of execution
- SOP and renderer-only attacks
Day 5 - Vulnerability Discovery and What’s Next
- Performing independent browser vulnerability research
- Setting up an effective code auditing workflow
- Intro to fuzzing browsers
- Intro to sandboxing / sandbox escapes