Asia-24-Liu-The-Hole-in-Sandbox.pdf

《Asia-24-Liu-The-Hole-in-Sandbox.pdf》由会员分享，可在线阅读，更多相关《Asia-24-Liu-The-Hole-in-Sandbox.pdf（68页珍藏版）》请在三个皮匠报告上搜索。

1、#BHASIA BlackHatEventsThe Hole in Sandbox:The Hole in Sandbox:EscapeEscape Modern WebModern Web-Based App Sandbox From Based App Sandbox From SiteSite-Isolation PerspectiveIsolation PerspectiveBohan Liu,Haibin ShiTencent Security Xuanwu Lab#BHASIA BlackHatEventsWho are weWho are weP4nda20371774Secur

2、ity Researcher at Tencent Security Xuanwu LabMainly Engaged in Browser SecurityGoogle Chrome Bug HunterBohan LiuHaibin ShiAryb1nSecurity Researcher at Tencent Security Xuanwu LabAndroid Security#BHASIA BlackHatEventsIntroductionIntroduction#BHASIA BlackHatEventsMultiMulti-process Architecture in Chr

3、omeprocess Architecture in Chromehttps:/ EngineMemory AllocatorRendering EngineDOMCSSMediaWeb APIs#BHASIA BlackHatEventsSandbox Sandbox in Chromein ChromeJavaScript EngineMemory AllocatorRendering EngineDOMCSSMediaWeb APIsSandboxIPCIPC ClientIPC ServerDo not re-invent the wheel Windows:A restricted

4、token&The Windows job object&The Windows desktop object&Integrity levels Linux:Seccomp-BPF&User namespaces Android:SELinuxPrinciple of least privilege Mandatory access controlled environment Isolated Process when HTML rendering and JavaScriptexecution Limited resource access Limited IPC/kernel inter

5、action access#BHASIA BlackHatEventshttps:/ capabilities of renderer RCEThe capabilities of renderer RCEJavaScript EngineMemory AllocatorRendering EngineDOMCSSMediaWeb APIsSandboxIPCIPC ClientIPC ServerWhat can attacker do with SHELLCODE:1.Invoke limitedsystem calls and Access limitedresources.2.Send

6、 evil IPC with ANYarguments.3.Patch ALLcode in render process.mprotect/etc/hosts#BHASIA BlackHatEventsAny other next-steps after renderer rceexcept Sandbox escape?GPU or network processes RCE Universal Cross Site Scriptinghttps:/ capabilities of renderer RCEThe capabilities of renderer RCERenderer R