I was given the honor of presenting a small talk for NUS Security Wednesday. The main goal was to do a small case study on CVE-2021-30599, a bug reported by @manfp in Google Chrome V8 Javascript Engine. The report was really well written and so unlike my previous analysis, I aimed to “reverse engineer” the author’s thought process during the exploit development. The reason is, the bug found was seemingly harmless but @manfp managed to transform that to a type-confusion bug, leading to Out Of Bounds access, and he chained that with a typer hardening bypass in Chrome V8 to eventually lead to RCE in the renderer’s process. In the quest to find out how that happen, I studied how he did that with the help of turbolizer ( a visualization tool that shows the optimization process and dependencies within the JIT engine ).
You can download the pptx slides from github
