OKay…some tips in studying WebKit

  • Be patient, many researchers find their first bug over one year
  • Study smartly, understand root cause, then try to find bug blindly, and finally find real world bugs
  • to finding bus, try to minimize the scope(new component, history issues, or old bugs bypass)

How does ret2system arrage their learning?

Day 1 - Browser Architecture

  • Breaking down modern browser architectures, major components
  • Setting up a browser research environment, building, debugging
  • Interfacing with different components of the browser (DOM, JS)
  • Introduction to JavaScript
  • JavaScript + DOM interaction, past issues

Day 2 - JavaScript Internals in Exploitation

  • A deep dive into JavaScript engine internals
  • Low-level JavaScript types and natives
  • Garbage collection implementations
  • Current vulnerability pattern found in JS engines
  • Introduction to exploit building blocks (Primitives)

Day 3 - JavaScript JIT Compilers

  • Overview of JIT compiler pipelines
  • JIT debugging and tools
  • Optimizations and typing
  • Type cache and speculation
  • JIT vulnerability classes, contemporary exploits
  • Web Assembly

Day 4 - Exploit Engineering

  • Layering exploit primitives
  • Locating interesting structures
  • Overwriting JIT structures
  • Control flow hijacking
  • Continuation of execution
  • SOP and renderer-only attacks

Day 5 - Vulnerability Discovery and What’s Next

  • Performing independent browser vulnerability research
  • Setting up an effective code auditing workflow
  • Intro to fuzzing browsers
  • Intro to sandboxing / sandbox escapes