This week we are starting an experiment that enables V8's Virtual Memory Cage in Chrome on Desktop (currently only on Dev + Canary channels, then Beta and finally Stable). Here is how that'll work:
First, for details about the cage see docs.google.com/document/d/17I…, for a high-level overview of the V8 sandboxing project see docs.google.com/document/d/1FM… (it still lacks a proper name though :))
Jun 25, 2019 • 7 tweets • 4 min read
Thanks to @coinbase I've had a chance to look at the in-the-wild exploit for the recent Firefox 0day (the RCE) that they caught. Tl;dr: it looks a lot like a bug collision between Fuzzilli and someone manually auditing for bugs. My notes:
My report for the bug is now public: bugs.chromium.org/p/project-zero…. This PoC directly turns the bug into type confusions, the exploit technique is then basically phrack.org/papers/jit_exp…