Black Hat | The Hat Trick: Exploit Chrome Twice from Runtime to JIT @BlackHatOfficialYT | Uploaded 9 months ago | Updated 1 hour ago
With updates to the JS standard and requirements for higher runtime efficiency, Google's JS engine V8 has implemented newer features such as built-in functions like Promise.any and the Maglev mid-tier compiler.
Maglev is a compilation optimization layer in V8 that is situated between Sparkplug and Turbofan in order to accelerate the optimization and compilation of JS code. However, due to the involvement of compilation and optimization-related mechanisms in the Maglev compilation layer, deep and complex code logic can hide undetected security vulnerabilities....
By: Nan Wang , Zhenghang Xiao
Full Abstract and Presentation Materials: blackhat.com/us-23/briefings/schedule/#the-hat-trick-exploit-chrome-twice-from-runtime-to-jit-31557
With updates to the JS standard and requirements for higher runtime efficiency, Google's JS engine V8 has implemented newer features such as built-in functions like Promise.any and the Maglev mid-tier compiler.
Maglev is a compilation optimization layer in V8 that is situated between Sparkplug and Turbofan in order to accelerate the optimization and compilation of JS code. However, due to the involvement of compilation and optimization-related mechanisms in the Maglev compilation layer, deep and complex code logic can hide undetected security vulnerabilities....
By: Nan Wang , Zhenghang Xiao
Full Abstract and Presentation Materials: blackhat.com/us-23/briefings/schedule/#the-hat-trick-exploit-chrome-twice-from-runtime-to-jit-31557
