Reviving JIT Vulnerabilities: Unleashing the Power of Maglev Compiler Bugs on Chrome Browser

...In this presentation, we will investigate the design principles of Maglev. Then we will share our experience in conducting vulnerability research and exploitation of the Maglev JIT Compiler based on our understanding of Turbofan. Firstly, we will compare and analyze the design principles of Maglev and Turbofan, thereby identifying the potential attack surface of Maglev. Next, we will demonstrate how to borrow security research experience from Turbofan to Maglev. We have improved the vulnerability exploration methods from three perspectives: Crash-based Fuzzing, Correctness-oriented fuzzing, and CodeQL in order to efficiently find vulnerabilities. Through this methodology, we found numerous bugs in Maglev, ultimately identifying and reporting 7 high-risk vulnerabilities. We will summarize and present the intriguing attack surface encountered during our research. Finally, we will demonstrate the exploitation of one of these vulnerabilities, achieving render RCE.... By: Bohan Liu , Zheng Wang xmzyshypnc Full Abstract and Presentation Materials: #reviving-jit-vulnerabilities-unleashing-the-power-of-maglev-compiler-bugs-on-chrome-browser-34437