Star 0

Abstract

WebKit is widely used as a web rendering engine by applications present on almost all popular PC platforms including Windows, Mac OS X, as well as mobile platforms such as iOS and Android. Usually a single vulnerability in WebKit - either logic or memory corruption one - utilized with appropriate exploit techniques can result in a remote code execution impacting various applications, regardless of what platforms they are running on.

After years of security improvements made by Apple, Google, and other companies and communities, WebKit became one of the most secure engines amongst web rendering engines. The security improvements mainly focused on reducing the number of critical vulnerabilities such as Use-After-Free, heap overflow, etc. More importantly, exploitation mitigations implemented in WebKit and its corresponding JavaScript engines (JavaScriptCore and V8) also dramatically increased the difficulty level of a successful exploitation.

Difficult, but not impossible.

Despite the strong security, defeating WebKit-based applications is still feasible. In this talk, I will discuss the details of these security enhancements and the approach I took to defeat them. The talk will be illustrated by demos of two exploits. The first one is a Webkit vulnerability deployed using several advanced exploit techniques to deliver a remote code execution that doesn't rely on Heap Spray technique and can be reliably ran on x64 Safari browser. The second one will demonstrate that similar techniques also apply to mobile applications.

At the end of our talk, we will provide recommendations on how to improve security of WebKit-based applications.

Papers

Slides