Leecraso | Security Researcher, 360 Alpha Lab
Rong Jian | Security Researcher, 360 Alpha Lab
Guang Gong | Team Leader, 360 Alpha Lab
Date: Wednesday, August 4 | 3:20pm-4:00pm ( Virtual )
Format: 40-Minute Briefings
Tracks: AppSec, Exploit Development
Bugs are rarely unique. Software with a growing system size typically involves multiple teams responsible for the development of numerous features. Considering the complexity of the codebase, there is a high probability that bugs shared with similar code patterns may exist in many places throughout the codebase.
In this presentation, we take Chrome as an example to present how to discover new vulnerabilities based on historical vulnerabilities. We will introduce several types of code patterns that are prone to be vulnerable in Chrome, from the shallower to the deeper. For each pattern, we will describe it in detail by summarizing from some classic bugs, and present not only the basic workflow of finding similar bugs but also the approach to adjust and refine the pattern to discover new bugs distinct from the originals. We finally found 24 vulnerabilities and got 11 CVEs in Chrome through those patterns. At last, we will detail how to exploit one of them which we used to escape the Chrome sandbox in the Tianfu Cup 2020 Cybersecurity Contest, and this is the first time winning the Chrome category with sandbox escape in the public contest since 2015.
2021 BlackHat에서 중국 360 alpha lab에서 연구원이 발표한 내용이다.
내용을 요약해보자면 Chrome과 같은 거대한 소프트웨어는 여러 개발자가 붙어 각자 영역을 담당하고 있고, 코드가 복잡해지면서 비슷한 코드 스타일이 더러 분포하게 된다. 이 때 한 코드 스타일에서 취약점이 발견할 경우 다른 코드 스타일에서도 취약점이 발견 가능하고 그것을 CodeQL을 통해 찾아낸다는 의미이다.
CodeQL을 통해 여러 분기로 나뉘는 코드도 감지할 수 있다는 것을 보면 오디팅하는 것보다 더 좋은 결과를 낸다고 볼 수 있고, 잘 활용하면 웬만한 오픈소스의 취약점을 찾는 프로젝트를 사용할 때 유용하게 사용할 수 있지 않을까 생각한다.