V8 Exploitation Series - Part 1


Quick Disclaimer: We do not have definitive knowledge/are not experts of all things V8. Sometimes we will make assumptions about the code, attempting to rely on the existing V8 documentation or articles by members of their team. Also, this knowledge should be used to enhance the security of V8. Please report any vulnerabilities through Google’s responsible disclosure program.

Welcome to the inaugural post for this series on vulnerability research for Google’s V8! We (Pranay Garg and John Johnson) are excited to take a deep dive into everything that you need to get started in this space. We’ll each be publishing half of the posts, so make sure to check out both of our blogs!


Our goal is to give more people the opportunity to look into vulnerability research within Chromium’s JavaScript engine. Many times, learning a new skill comes with feelings like “I don’t know what I don’t know.” There has been plenty of research in this space previously (see the massive list of references at the end), and it can be difficult to know which to read (and worse, what’s outdated!). Our first posts will attempt to document what is already available and give a very high-level summary of the current state of V8 bug hunting and exploitation. Apologies in advance for a lot of “go read this,” but we don’t want to rephrase some of the great articles already out there. Our future posts will introduce more original material as we talk about vulnerabilities and their patches. We will also cover how to stay up to date with changes to the code base for when our information becomes outdated. We highly recommend skimming the links we provide throughout the series, and coming back to this page whenever you need more details on a certain topic.

We believe that there is still a lot of research to be done in this area (and Google does, too). While the V8/Chromium teams have put countless security measures in place, exploitable bugs are still found on a regular basis. We hope to explain the processes for vulnerability discovery and exploitation, as well as the code base, in a way that will allow more people to begin bug hunting and memory safety research.

If you are completely new to V8, see this quick except from the README:

V8 is Google’s open source JavaScript engine. V8 implements ECMAScript as specified in ECMA-262. V8 is written in C++ and is used in Google Chrome, the open source browser from Google. V8 can run standalone, or can be embedded into any C++ application. V8 Project page:

Previous Work

Our goal in this study will be to create as complete a guide as possible to understanding the current state of V8 exploitation, and also its future! However, it would be entirely impossible without the work that has already been accomplished that gave us our own starting point. Here are several references that we used for understanding. There are probably more that we could have listed, but these were the most influential. Many of the topics covered in these articles will be covered in future posts, so there’s no need to fully understand everything on this list. However, this will be a great place to come back to if future posts don’t provide enough information. There’s a list similar to this one on the zon8 blog where you can find even more links.

Getting Started

Introduction to Turbofan by Jeremy Fetiveau

Attacking Turbofan by Jeremy Fetiveau

v8 exploit by Sakura

A guided tour through Chrome’s javascript compiler by Stephen Röttger

Intro to Chrome’s V8 from an exploit development angle by Javier Jimenez

A Deep Dive Into V8 by Diogo Souza

learning-v8 by danbev

v8-starter-guide by push0ebp

An Introduction to Speculative Optimization in V8 by Benedikt Meurer

Node.js V8 internals: an illustrative primer by Vardan Grigoryan

Development Perspective

V8 Docs

Intermediate Representation

Turbofan Design

An overview of the TurboFan compiler

JavaScript Engine Internals by Mathias Bynens

JavaScript Engine Fundamentals by Mathias Bynens

Source to Binary Jounrney of V8 javascript engine by Sakura

A tour of V8: object representation by Jay Conrod

Understanding V8’s Bytecode by Franziska Hinkelmann

NodeJS V8 docs

Exploring Code

Embedding V8

C++ Code guide

Memory structure

Visualizing memory management in V8 Engine by Deepu K Sasidharan

Memory management, JS vs. C++ and understanding V8 by Jasmine Zangi

Writing V8 C++ plugins

Understanding How the Chrome V8 Engine Translates JavaScript into Machine Code by Mayank Tripathi

Embedding V8 in a C++ application by David Erceg

C++: Embedding the V8 JavaScript Engine by Dustin Oprea



Chrome V8 tutorials by vngkv123

V8 debug writeup by Sakura

Modern Attacks on the Chrome Browser by Jeremy Fetiveau

Specific Bugs

Circumventing Chrome’s hardening of typer bugs by Jeremy Fetiveau

A Window of Opportunity by Exodus Intelligence

Patch Gapping Chrome by Exodus Intelligence

A Eulogy for Patch-Gapping Chrome by István Kurucsai and Vignesh S Rao

The hunt for Chromium issue 1072171 by Javier Jimenez

Chrome V8 - -CVE-2019-5782 Tianfu Cup Qihoo 360 S0rrymybad by aSiagaming


CTF Problem Write-ups

Exploiting v8: *CTF 2019 oob-v8 by Syed Faraz Abrar

Exploiting TurboFan Through Bounds Check Elimination by Hanqing Zhao

Exploiting Chrome V8: Krautflare (35C3 CTF 2018) by Jay Bosamiya

Exploiting the Math.expm1 typing bug in V8 by 0x41414141 in ?? ()

General JIT Compiler Exploitation

Attacking JavaScript Engines by Saelo

Exploiting Logic Bugs in JavaScript JIT Engine by Saelo

Blackhat Presentation by Saelo

JITsploitation Series by Saelo

This post is licensed under CC BY 4.0 by the author.