The world of Browsers is dominated by 4 major players:
- Chromium/Chrome (Blink-Engine)
- Firefox (Gecko-Engine)
- Safari (WebKit-Engine)
- Edge (Blink-Engine (former EdgeHTML-Engine)
The following is split into two parts:
- Information that helps to understand their architecture and implementation and how to build them from sources
- Information that helps finding their calculator popping feature
- Engines
- Exploitation
- Tools
- JavaScript Docs
- Javascript Engine Fundamentals: the good, the bad, and the ugly
- Javascript Engine Fundamentals: Shapes and Inline Caches
- JavaScript Engines - how do they even (Video)
Of course you can use you're own favorite setup to browse the sources. However, those repos are relatively large and I tried a couple different setups until I found something that worked for me. So if you don't have good setup already, here are a couple of my experiences that might help you:
- CTags (+Vim): Works well with following references and calls. If you're used to navigate through large source-trees with this puristic setup, it can be a good option for you. The downside being of course the lack of the features most of the big IDEs come with nowadays.
- CLion: I use JetBrain products for a lot of my coding activities, but CLion didn't work well for me, especially following references. Of course this might be due to setup issues.
- Eclipse: I haven't used it in a while, but this turned out to be a good option. Unfortunately, it takes a lot of resources for the indexer to run through the code.
- Here is a setup description for the Chromium-Project, but it works similarly for the other projects as well.
- ccls+VSCode This is the best option for me so far. ccls is very fast with indexing the repos and works great with VSCode. You can also combine it with other editors and IDEs see https://github.com/MaskRay/ccls/wiki/Editor-Configuration
Articles:
The JavaScript-Engine of Blink is V8.
Project | GitHub | Source | How2Build
Build (Ubuntu 18.04):
$ git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
$ export PATH=$PATH:./depot_tools
$ gclient
$ mkdir ./v8 && cd ./v8
$ fetch v8 && cd v8
$ git pull
$ gclient sync
$ ./build/install-build-deps.sh
$ tools/dev/gm.py x64.release
$ out/x64.release/d8
Useful flags:
--print-opt-code
: code generated by optimizing compiler--print-byte-code
: bytecode generated by interpreter--trace-ic
: different object types a call site encouters--trace-opt
and--trace-deopt
: which functions are (de)optimized--trace-turbo
: TurboFan traces for the Turbolizer visualization
Articles:
V8 provides a visualization for TurboFan called Turbolizer
Articles:
- Run v8 with
--trace-turbo
:d8 --trace-turbo foo.js
- Generates json files e.g.
turbo-foo-0.json
- Goto
v8/tools/turbolizer
and install with npm as described inREADME.md
- Serve directory e.g.
python -m SimpleHTTPServer 8000
- Browse to
localhost:8000
and openturbo-foo-0.json
The JavaScript-Engine of Gecko is Spidermonkey.
Build (Ubuntu 18.04):
$ wget -O bootstrap.py https://hg.mozilla.org/mozilla-central/raw-file/default/python/mozboot/bin/bootstrap.py && python bootstrap.py
$ git clone https://github.com/mozilla/gecko-dev.git && cd gecko-dev
$ cd js/src
$ autoconf2.13
# This name should end with "_DBG.OBJ" to make the version control system ignore it.
$ mkdir build_DBG.OBJ
$ cd build_DBG.OBJ
$ ../configure --enable-debug --disable-optimize
# Use "mozmake" on Windows
$ make -j 6
$ js/src/js
Spidermonkey provides a visualization for IonMonkey called IonGraph
The JavaScript-Engine of Webkit is JavaScriptCore (JSC).
Articles:
- Runtime: Source/JavaScriptCore/runtime
# sudo apt install libicu-dev python ruby bison flex cmake build-essential ninja-build git gperf
$ git clone git://git.webkit.org/WebKit.git && cd WebKit
$ Tools/gtk/install-dependencies
$ Tools/Scripts/build-webkit --jsc-only --debug
$ cd WebKitBuild/Release
$ LD_LIBRARY_PATH=./lib bin/jsc
WebKit has a 4-Layer JIT-Compiler system, representing the tradeoff between overhead performance cost and performance benefit.
Articles:
- LLInt (Low Level Interpreter)
- Baseline JIT
- DFG JIT (Data Flow Graph JIT)
- FTL JIT (Faster Than Light Just In Time compiler)
Since Edge switched to Blink and the Chromium Project as its Rendering-Engine, Edge is using v8. Originally, Edge had is own Rendering-Engine called EdgeHTML, which used the ChakraCore JavaScript-Engine.
# To build ChakraCore on Linux: (requires Clang 3.7+ and Python 2)
$ apt-get install -y git build-essential cmake clang libicu-dev libunwind8-dev
$ git clone https://github.com/Microsoft/ChakraCore && cd ChakraCore
$ ./build.sh --cc=/usr/bin/clang-3.9 --cxx=/usr/bin/clang++-3.9 --arch=amd64 --debug
$ out/Debug/ch
- Saelo: Attacking JavaScript-Engines
- Awesome-Browser-Exploitation
- Attacking WebKit applications (Slides)
- Saelo: Attacking Client-Side JIT Compilers - BlackHat 2018
- j0nathanj: From Zero to ZeroDay (Finding a Chakra Zero Day)
- Saelo: Fuzzili - (Guided-)fuzzing for JavaScript engines
- Exploiting TurboFan Through Bounds Check Elimination
- saelo: Exploiting Logic Bugs in JavaScript JIT Engines
- 34c3: v9
- 35c3: Krautflare
- CSAW-Finals-2018: ES1337
- Plaid CTF 2018: Roll a dice
- Google CTF Finals 2018: Just In Time
- *CTF 2019: oob-v8
- RealWorldCTF Quals 2019: accessible
- MobilePwn2Own 2013 - Chrome on Android
- https://halbecaf.com/2017/05/24/exploiting-a-v8-oob-write/
- niklasb: Chrome IPC Exploitation
- CVE-2019-5782 Write-Up
- CVE-2019-5790
- CVE-2019-5786 Chrome Remote Code Execution Vulnerability Analysis
- Playing around with SpiderMonkey
- OR'LYEH? The Shadow over Firefox
- A journey into IonMonkey: root-causing CVE-2019-9810
- 33c3: Feuerfuchs
- Blaze 2018: blazefox
- Sources
- WriteUp
- WriteUp (Exploit-Script)
- WriteUp (Exploit-Script)
- Build+WriteUp
- 35c3 FunFox
- Introduction to SpiderMonkey exploitation
- Use-after-free in Spidermonkey (Beta 53)
- https://saelo.github.io/posts/firefox-script-loader-overflow.html
- Use-after-free in SpiderMonkey (64.0a1)
- CVE-2019-11707 Type Confusion
- CVE-2019-11708 & CVE-2019-9810
- http://www.phrack.org/papers/attacking_javascript_engines.html
- Fuzzing Webkit and analysis of CVE-2019-8375
- CVE-2017-2446 WriteUp
- https://saelo.github.io/posts/jsc-typedarray.slice-infoleak.html
- https://github.com/saelo/pwn2own2018/tree/master/stage0
- https://github.com/LinusHenze/WebKit-RegEx-Exploit
- https://github.com/W00dL3cs/exploit_playground/tree/master/JavaScriptCore
- Heap-hardening
- CagedPtr Source & ArrayBuffer Example
- bkth: Tale of Chakra Bugs
- bkth: Attacking Edge Through the JavaScript-Compiler
- Plaid 2017: chakrazy
- N1CTF 2018: Chakra
- RealWorldCTF Quals 2019: Appetizer
- Trend Micro CTF 2019: ChakraCore 400
- bkth, S0rryMyBad: Non JIT Bug, JIT Exploit
- shadow jemalloc heap exploitation framework (heap allocator used by Firefox)