V8 Exploitation Series - Part 1

Posted Sep 7, 2020 Updated Sep 29, 2021

By madStacks 5 min read

Welcome

Quick Disclaimer: We do not have definitive knowledge/are not experts of all things V8. Sometimes we will make assumptions about the code, attempting to rely on the existing V8 documentation or articles by members of their team. Also, this knowledge should be used to enhance the security of V8. Please report any vulnerabilities through Google’s responsible disclosure program.

Welcome to the inaugural post for this series on vulnerability research for Google’s V8! We (Pranay Garg and John Johnson) are excited to take a deep dive into everything that you need to get started in this space. We’ll each be publishing half of the posts, so make sure to check out both of our blogs!

Motivation

Our goal is to give more people the opportunity to look into vulnerability research within Chromium’s JavaScript engine. Many times, learning a new skill comes with feelings like “I don’t know what I don’t know.” There has been plenty of research in this space previously (see the massive list of references at the end), and it can be difficult to know which to read (and worse, what’s outdated!). Our first posts will attempt to document what is already available and give a very high-level summary of the current state of V8 bug hunting and exploitation. Apologies in advance for a lot of “go read this,” but we don’t want to rephrase some of the great articles already out there. Our future posts will introduce more original material as we talk about vulnerabilities and their patches. We will also cover how to stay up to date with changes to the code base for when our information becomes outdated. We highly recommend skimming the links we provide throughout the series, and coming back to this page whenever you need more details on a certain topic.

We believe that there is still a lot of research to be done in this area (and Google does, too). While the V8/Chromium teams have put countless security measures in place, exploitable bugs are still found on a regular basis. We hope to explain the processes for vulnerability discovery and exploitation, as well as the code base, in a way that will allow more people to begin bug hunting and memory safety research.

If you are completely new to V8, see this quick except from the README:

V8 is Google’s open source JavaScript engine. V8 implements ECMAScript as specified in ECMA-262. V8 is written in C++ and is used in Google Chrome, the open source browser from Google. V8 can run standalone, or can be embedded into any C++ application. V8 Project page: https://v8.dev/docs

Previous Work

Our goal in this study will be to create as complete a guide as possible to understanding the current state of V8 exploitation, and also its future! However, it would be entirely impossible without the work that has already been accomplished that gave us our own starting point. Here are several references that we used for understanding. There are probably more that we could have listed, but these were the most influential. Many of the topics covered in these articles will be covered in future posts, so there’s no need to fully understand everything on this list. However, this will be a great place to come back to if future posts don’t provide enough information. There’s a list similar to this one on the zon8 blog where you can find even more links.

V8_Series

This post is licensed under CC BY 4.0 by the author.

Welcome

Motivation

Previous Work

Getting Started

Development Perspective

Exploring Code

Memory structure

Writing V8 C++ plugins

Exploitation

Specific Bugs

CTF Problem Write-ups

General JIT Compiler Exploitation

Trending Tags