{"guid":"4fff6281-e452-4d64-bf9a-bc677614776a","title":"Attacking Chrome IPC","subtitle":"Reliably finding bugs to escape the Chrome sandbox","slug":"35c3-9579-attacking_chrome_ipc","link":"https://fahrplan.events.ccc.de/congress/2018/Fahrplan/events/9579.html","description":"In this talk, I discuss how to reliably find bugs in the Chrome IPC system with the goal of escaping the sandbox. I show how to enumerate the attack surface, how to identify the weak areas, and how to fuzz those areas efficiently to consistently produce bugs.\n\nSince the win32k lockdown on the Chrome renderer process, full chain Chrome exploits on Windows have become very rare, with the most recent successful competition exploit occurring in 2015.\n\nBy applying new fuzzing strategies, I was able to identify many vulnerabilities in the sandbox in the past year, one of which I used to demonstrate a full chain exploit at Hack2Win this year when combined with a teammate's RCE bug.\n\nIn this talk I hope to show how I found these bugs by using extremely targeted fuzzing in a way that was easy to setup but reliably had great results, and briefly cover how we leveraged one use after free bug to fully escape the sandbox.\n\n\u003ca href=\"https://twitter.com/NedWilliamson/status/1043150732742946816\"\u003ehttps://twitter.com/NedWilliamson/status/1043150732742946816\u003c/a\u003e","original_language":"eng","persons":["nedwill"],"tags":["35c3","9579","Security"],"view_count":4934,"promoted":false,"date":"2018-12-29T00:00:00.000+01:00","release_date":"2018-12-29T01:00:00.000+01:00","updated_at":"2026-04-19T17:15:04.774+02:00","length":3252,"duration":3252,"thumb_url":"https://static.media.ccc.de/media/congress/2018/9579-hd.jpg","poster_url":"https://static.media.ccc.de/media/congress/2018/9579-hd_preview.jpg","timeline_url":"https://static.media.ccc.de/media/congress/2018/9579-hd.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/congress/2018/9579-hd.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/35c3-9579-attacking_chrome_ipc","url":"https://api.media.ccc.de/public/events/4fff6281-e452-4d64-bf9a-bc677614776a","conference_title":"35C3: Refreshing Memories","conference_url":"https://api.media.ccc.de/public/conferences/35c3","related":[{"event_id":6379,"event_guid":"9dde571b-4d49-4b44-8329-42e354bcc24b","weight":1},{"event_id":6389,"event_guid":"c8b34953-b60f-4ed0-8784-dc20153e0725","weight":1},{"event_id":6406,"event_guid":"686c1387-e761-4df6-b395-f9ddf92d46e7","weight":2},{"event_id":6408,"event_guid":"ffdc92f3-1a39-4931-9409-f8bfabe9f628","weight":1},{"event_id":6409,"event_guid":"a42e5a4f-fd9b-4571-bf17-483978afecb3","weight":1},{"event_id":6419,"event_guid":"96d10915-cc4b-42ca-ad75-15205db70d0b","weight":40},{"event_id":6422,"event_guid":"e8385c89-d33a-42d8-afb6-8ae28fe5c89d","weight":16},{"event_id":6432,"event_guid":"de977841-8510-4172-9622-dd0563c2cb82","weight":1},{"event_id":6435,"event_guid":"9777cea0-ac06-4274-85db-908c1e87e2f4","weight":121},{"event_id":6473,"event_guid":"eb71c620-6102-4b08-8ac4-5f71b772a831","weight":1},{"event_id":6474,"event_guid":"f58a2b6d-bde0-483b-a8db-043ea9371cb6","weight":1},{"event_id":6476,"event_guid":"feb18113-3325-4053-93a0-76d4980b137c","weight":2},{"event_id":6477,"event_guid":"c85de43e-107e-4247-b550-946f376e2ec4","weight":58},{"event_id":6481,"event_guid":"948fee49-de6f-42b1-82f8-045af2aa155e","weight":71},{"event_id":6482,"event_guid":"86b96f3f-a6b5-49c0-a189-69912c016916","weight":1},{"event_id":6486,"event_guid":"7ebee226-66bc-558f-b76f-435a8ce91543","weight":1},{"event_id":6491,"event_guid":"9f8b19eb-31cb-4250-80d4-5caf4e0b33dd","weight":76},{"event_id":6492,"event_guid":"bc545b26-8319-43fb-abc2-f624ef414ee8","weight":65},{"event_id":6493,"event_guid":"2375222b-7dae-4bca-a5b0-aea227ab0d76","weight":57},{"event_id":6498,"event_guid":"4e6ab724-8663-456a-ac01-1cfdfc94c27f","weight":119},{"event_id":6500,"event_guid":"064a7014-a88c-462a-b06f-7d6de62d622f","weight":1},{"event_id":6508,"event_guid":"22d77083-ceb3-50bd-b275-678ce3b22760","weight":1},{"event_id":6512,"event_guid":"25c54ce3-598c-42ee-8832-52fe9deae7ad","weight":13},{"event_id":6513,"event_guid":"0967f643-013b-57cc-870b-f2d4dfebc442","weight":1},{"event_id":6514,"event_guid":"7228f88d-8d6f-40a9-a5dd-b5c91b823ada","weight":75},{"event_id":6519,"event_guid":"5a8097ad-15c2-492e-8bc4-6b634fd8e963","weight":74},{"event_id":6520,"event_guid":"64d3f3f5-5665-4050-ba15-0db530ecc262","weight":103},{"event_id":6522,"event_guid":"8703c4a7-981c-4aa5-8f4c-36da54d5b435","weight":1},{"event_id":6523,"event_guid":"240fe8a1-ee33-4f07-88d0-34b8bb04db71","weight":57},{"event_id":6530,"event_guid":"83bf042d-7382-4975-a3f8-92229944b8fc","weight":18},{"event_id":6532,"event_guid":"94447a62-a3ba-4f6d-a3b7-b5318a954651","weight":57},{"event_id":6536,"event_guid":"0a4a43e0-2b8d-424c-aaa3-101c843de75c","weight":50},{"event_id":6551,"event_guid":"3a571c21-31ed-453b-886d-7dea7b5751cd","weight":51},{"event_id":6577,"event_guid":"49fe1044-4038-4cec-8e80-71621c9e7d6e","weight":51},{"event_id":6603,"event_guid":"ea00d1e0-a580-415f-a8cf-f02883d939dc","weight":119}],"recordings":[{"size":null,"length":null,"mime_type":"application/x-subrip","language":"eng","filename":"35c3-9579-eng-deu-Attacking_Chrome_IPC.en.srt","state":"complete","folder":"","high_quality":true,"width":null,"height":null,"updated_at":"2022-01-16T14:08:33.024+01:00","recording_url":"https://cdn.media.ccc.de/congress/2018/35c3-9579-eng-deu-Attacking_Chrome_IPC.en.srt","url":"https://api.media.ccc.de/public/recordings/45389","event_url":"https://api.media.ccc.de/public/events/4fff6281-e452-4d64-bf9a-bc677614776a","conference_url":"https://api.media.ccc.de/public/conferences/35c3"},{"size":369,"length":3252,"mime_type":"video/mp4","language":"eng","filename":"35c3-9579-eng-Attacking_Chrome_IPC.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2018-12-29T23:36:58.688+01:00","recording_url":"https://cdn.media.ccc.de/congress/2018/h264-hd/35c3-9579-eng-Attacking_Chrome_IPC.mp4","url":"https://api.media.ccc.de/public/recordings/31990","event_url":"https://api.media.ccc.de/public/events/4fff6281-e452-4d64-bf9a-bc677614776a","conference_url":"https://api.media.ccc.de/public/conferences/35c3"},{"size":367,"length":3252,"mime_type":"video/mp4","language":"deu","filename":"35c3-9579-deu-Attacking_Chrome_IPC.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2018-12-29T23:37:12.785+01:00","recording_url":"https://cdn.media.ccc.de/congress/2018/h264-hd/35c3-9579-deu-Attacking_Chrome_IPC.mp4","url":"https://api.media.ccc.de/public/recordings/31991","event_url":"https://api.media.ccc.de/public/events/4fff6281-e452-4d64-bf9a-bc677614776a","conference_url":"https://api.media.ccc.de/public/conferences/35c3"},{"size":469,"length":3252,"mime_type":"video/mp4","language":"eng-deu","filename":"35c3-9579-eng-deu-Attacking_Chrome_IPC_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2018-12-29T23:37:27.734+01:00","recording_url":"https://cdn.media.ccc.de/congress/2018/h264-hd/35c3-9579-eng-deu-Attacking_Chrome_IPC_hd.mp4","url":"https://api.media.ccc.de/public/recordings/31992","event_url":"https://api.media.ccc.de/public/events/4fff6281-e452-4d64-bf9a-bc677614776a","conference_url":"https://api.media.ccc.de/public/conferences/35c3"},{"size":175,"length":3252,"mime_type":"video/mp4","language":"eng-deu","filename":"35c3-9579-eng-deu-Attacking_Chrome_IPC_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2018-12-30T00:42:07.242+01:00","recording_url":"https://cdn.media.ccc.de/congress/2018/h264-sd/35c3-9579-eng-deu-Attacking_Chrome_IPC_sd.mp4","url":"https://api.media.ccc.de/public/recordings/32036","event_url":"https://api.media.ccc.de/public/events/4fff6281-e452-4d64-bf9a-bc677614776a","conference_url":"https://api.media.ccc.de/public/conferences/35c3"},{"size":155,"length":3252,"mime_type":"video/mp4","language":"eng-deu","filename":"35c3-9579-eng-deu-Attacking_Chrome_IPC_hd-slides.mp4","state":"new","folder":"slides-h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2018-12-30T00:42:41.307+01:00","recording_url":"https://cdn.media.ccc.de/congress/2018/slides-h264-hd/35c3-9579-eng-deu-Attacking_Chrome_IPC_hd-slides.mp4","url":"https://api.media.ccc.de/public/recordings/32038","event_url":"https://api.media.ccc.de/public/events/4fff6281-e452-4d64-bf9a-bc677614776a","conference_url":"https://api.media.ccc.de/public/conferences/35c3"},{"size":622,"length":3252,"mime_type":"video/webm","language":"eng-deu","filename":"35c3-9579-eng-deu-Attacking_Chrome_IPC_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2018-12-30T03:54:40.243+01:00","recording_url":"https://cdn.media.ccc.de/congress/2018/webm-hd/35c3-9579-eng-deu-Attacking_Chrome_IPC_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/32167","event_url":"https://api.media.ccc.de/public/events/4fff6281-e452-4d64-bf9a-bc677614776a","conference_url":"https://api.media.ccc.de/public/conferences/35c3"},{"size":49,"length":3252,"mime_type":"audio/mpeg","language":"eng","filename":"35c3-9579-eng-Attacking_Chrome_IPC_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2018-12-30T03:55:02.096+01:00","recording_url":"https://cdn.media.ccc.de/congress/2018/mp3/35c3-9579-eng-Attacking_Chrome_IPC_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/32168","event_url":"https://api.media.ccc.de/public/events/4fff6281-e452-4d64-bf9a-bc677614776a","conference_url":"https://api.media.ccc.de/public/conferences/35c3"},{"size":268,"length":3252,"mime_type":"video/webm","language":"eng-deu","filename":"35c3-9579-eng-deu-Attacking_Chrome_IPC_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2018-12-30T03:55:43.368+01:00","recording_url":"https://cdn.media.ccc.de/congress/2018/webm-sd/35c3-9579-eng-deu-Attacking_Chrome_IPC_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/32169","event_url":"https://api.media.ccc.de/public/events/4fff6281-e452-4d64-bf9a-bc677614776a","conference_url":"https://api.media.ccc.de/public/conferences/35c3"},{"size":37,"length":3252,"mime_type":"audio/opus","language":"eng","filename":"35c3-9579-eng-Attacking_Chrome_IPC_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2018-12-30T03:56:37.428+01:00","recording_url":"https://cdn.media.ccc.de/congress/2018/opus/35c3-9579-eng-Attacking_Chrome_IPC_opus.opus","url":"https://api.media.ccc.de/public/recordings/32171","event_url":"https://api.media.ccc.de/public/events/4fff6281-e452-4d64-bf9a-bc677614776a","conference_url":"https://api.media.ccc.de/public/conferences/35c3"}]}