Why I failed to reproduce results from a presentation

Post date: Jan 06, 2015 4:50:0 PM

Recently, I read a very detailed writeup on a WebKit bug that allowed code execution by the person who discovered it. During the winter break, I tried to replicate the result by following the steps from the presentation. I failed miserably.

Now, the result seems odd: at first glance, learning to trigger bugs should be easy. WebKit is open source, and, as the fail0verflow presentation pointed out, has unit tests for testing every bug, including security sensitive ones. In addition, there are many write-ups on WebKit and Blink exploits, which showcase various techniques used to trigger bugs. There's the availability of proof-of-concept code for some bugs, such as the JSArray::sort bug and the object/renderArena destruction bug. Most importantly, I was following step-by-step instructions on how to trigger the bug.

So why is it so hard to replicate the result of that writeup? For starters, most of the write-ups assume some level of preexisting knowledge - sure, most of them contained or referenced tutorials for commonly used concepts, such as heap manipulation, but the audience is expected to know, for example, how to get the address of a JavaScript object by setting a breakpoint on Math.atan, and so those basic concepts aren't covered. This means that I can't easily find any tutorials for them.

Secondly, I didn't have a good way to visualize the layout of the heap at runtime, and this impaired my understanding of the various heap manipulation techniques.

In addition, WebKit's large symbol files meant that starting a new debugging session takes an exorbitant amount of time, and also impaired the use of autocomplete in the debugger.

Most importantly, however, WebKit's development occurs at a very fast pace: the presentation I was following targeted a Safari version from early 2014; my copy of WebKit from 2013 had completely different layouts for many of the classes. Because of the differences, I could not simply follow their instructions, and, because I lacked experience, I was unable to adapt their approach for the older code.

I'm curious: have you tried reproducing something from someone's writeup? If so, what were some of the difficulties you encountered?