Independent CyberSecurity Research Service Institution. Originating Founder of AVSS (Adversarial Vulnerability Scoring System).

Strengthening the Shield: MTE in Heap Allocators

Introduction In 2018, with the release of ARMv8.5-A, a brand new chip security feature MTE (Memory Tagging Extensions) emerged. Five years later, in 2023, the first smartphone to support this feature was released — Google Pixel 8 — marking the official entry of MTE into the consumer market. Although this feature is not yet enabled by default, developers can turn it on themselves for testing. As a powerful defense against memory corruption, there has not yet been a comprehensive analysis of MTE’s defensive boundaries, capabilities, and its impact on performance on the internet....

January 3, 2024 · 2341 words · DARKNAVY

Exploiting the libwebp Vulnerability, Part 2: Diving into Chrome Blink

Introduction When we examine a third-party library vulnerability in a real environment, we often encounter numerous complex variables that exist within the vulnerability’s context. Exploiting such a vulnerability is not as easy as one might imagine. Here is the information we know: The overflowed variable huffman_tables, has a size of 0x2f28. The heap chunk is allocated in the renderer’s ThreadPool, while most objects are allocated in the main thread. We can write a partially controlled 4-byte integer with an offset that is a multiple of 8 bytes....

November 3, 2023 · 1768 words · DARKNAVY

Exploiting the libwebp Vulnerability, Part 1: Playing with Huffman Code

Vulnerability Localization In the initial phase of vulnerability analysis, due to the absence of readily available PoCs or detailed analysis reports, we first attempted to read and understand the patch code for CVE-2023-4863 in the upstream repository of webmproject/libwebp. However, the WebM Project’s official patch was relatively complex, making it difficult for us to accurately pinpoint the root cause of the vulnerability. Thus, we turned our attention to Apple’s official patch for CVE-2023-41064, and performed a comparison of the ImageIO framework before and after the update using BinDiff....

November 3, 2023 · 2345 words · DARKNAVY