The Most Secure Browser? Pwning Chrome from 2016 to 2019

Browser security is always a prevalent topic in security research. Due to the great design and long-term effort, browsers have been more and more secure. The last time Chrome was pwned in Pwn2Own dates back to Mobile Pwn2Own 2016. In that contest, we, Keen Security Lab of Tencent, pwned Nexus 6P via Chrome browser. This year, we are willing to share our full, in-depth details on the research of Chrome security.

JavaScript engines are an attractive target for browser attackers. Security researchers published their amazing methods, such as CodeAlchemist and Fuzzili. We developed a methodology Semantic Equivalent Transform (SET), and it is distinct because

• Simple. SET is inherently immune to grammar and semantic errors, so we don't need to write a lot of analysis code.
• Effective. We've found 8 pwn2own-available v8 bugs using it in the past three years.
• Versatile. There are many scenarios where SET can play a role. We will then share novel exploitation techniques we used in Pwn2Own. For instance, although most researchers have realized JIT is a good target for bug hunting, few people notice JIT could also be used to do exploitation. We will show how we used some general JIT fragments to exploit low-quality bugs. After that, we will share other interesting cases and our latest bug.

Finally, we'll share our recent research on sandbox bypass. We have pwned Chrome three times since 2016. We will share the details of our IPC bugs and bring a demo when we pwned Chrome in March 2019.

To the best of our knowledge, this presentation will be the first to talk about complete methodology to pwn Chrome (find and exploit bugs in both v8 and sandbox) in public.