Browser Security Nightly line of masterclasses is comprised of individual 4-hour livestream or recorded online events which dive deep into various aspects of Browser & JavaScript Engines security and system internals.
All masterclasses are taught by an independent vulnerability researcher with 10+ years of experience, who is a participant in major software developers' bugbounty programs, and contestant in competitions at international level. Our system for masterclasses involves up to 50% hands on experience (labs and exercises), and an ultra-narrow specialization allowing for a focused deep dive. Other than that, expect same as from the trainings: 100% original content sourced from our own in-lab research work, state-of-the-art knowledge, a mix of `big picture` abstract models and relevant theory with ultra-deep dives into specific up-to-date case studies, plenty of practical tips and personal insights. The instructor will be available for communication during the class, and answer attendees' questions in real time.
Date: June 24th, 2023, 09:00-13:00 UTC Duration: 6 hours Location: online Instructor: Alisa Esage Level: universal Availability: on-demand
A gentle introduction to inner workings and general security trends of JavaScript engines for purposes of professional vulnerability research and arbitrary curiousity. Implementation case study and practicals will be on Google v8. Class time will be split in two parts: general and v8. General part will focus on fundamental abstract models and trends that are shared between all JavaScript engines. Such models allow us to study specific implementations with a prepared mind, and predict things about unfamiliar code that we do not know. Second part will take Google's v8 javascript engine as a case study, and focus on fundamental implementation aspects of it - think objects, shapes, and bytecodes - while excluding higher level machinery such as specific compilers or optimizations, whose code is more transient. Note: this class is focused on system internals and research setup - with just a little starter kit on vulnerability research.
Topics - general: * ECMAScript specification (what we need to know) * Anatomy of a JavaScript engine * Attack surface models * Common classes of bugs * Common vulnerability trends * Exploitation patterns
Topics - v8: * Building on Linux (a dockerscript will be given) * Interesting build tweaks * d8 command line parameters * Intrinsics for live introspection * Debugging with gdb * Codebase overview & patterns * v8 pipeline (as of 2023Q2) * How fundamental JavaScript concepts are implemented in v8 * Inspecting low-level JavaScript entities in runtime
You will learn: * How every JavaScript engine works internally * What to expect from a codebase of unfamiliar engine * Where and how to look/fuzz for bugs * How to build/debug/attack v8
Who should attend: * Professional vulnerability researchers transitioning to JavaScript from other specializations * Security researchers working with or interested in JavaScript engines * JavaScript engines core developers and testers * Electron and nodejs develepers who are curious about how javascript engines work internally
Pre-requisites: * JavaScript * C++ * Linux command line
Recommended setup: * Laptop for test & exercise * Linux virtual machine (Ubuntu 18.04 LTS is used in most open source dev setups) * Large second monitor for watching the stream
Audience note: this class is designed with a structured depth which makes it suitable for all level audiences, from beginners/webdevs (provided they have a certain readiness for low-level introspection labs, or able to skip it), to professional security and vulnerability researchers who wish to enter JavaScript specialization.
Date: August 26th, 2023, 13:00 UTC Duration: 4 hours Location: online Instructor: Alisa Esage Level: intermediate Availability: registration closed
JavaScript engines come with their own special (if unique) classes of security vulnerabilities. For example, it can be easily verified by CVE history that buffer overflows are more or less nonexistent in modern engines (such as those baked into web browsers: v8, SpiderMonkey, JSC...), while type confusion bugs are extremely common. Why is it so? The knowledge about JavaScript engines architecture and implementation as well as ECMAScript specification demands - that was covered comprehensively in the JavaScript Engines Internals masterclass - lets us precisely understand such bug trends and project it onto specific targets, to make predictions about bug classes that should be targetted or expected in a vulnerability research project. In this class, however, we take architectural awareness and system internals as a pre-requisite starting point to explore exclusively the world of vulnerabilities which are specific to JavaScript engines, and establish the basis of related analytical skills. A large part of this masterclass will be looking at previously known bugs in a variety of JavaScript engines. It is by analysing known vulnerabilities that bug trends and classes can be identified, many valuable insights can be gained, and new ideas for vulnerability research can be found. Self-study of vulnerability history for such complex systems as a JavaScript engine usually takes many weeks and months: aside from the actual vulnerability analysis, which is non-trivial in itself for complex dynamic systems, you'll need to set up the conceptual context for almost each single bug separately by studying nuances of the specification, target architecture, and implementation. One of the purposes of this masterclass (and our Vulnerability Research courses in general) is to 'pack' a substantial part of the knowledge obtained by that lengthy and tedious analytical process into a compact 4-hour session. Our main practical target in this class is Google's v8 JavaScript engine, that will have most vulnerability case studies, and a dedicated deep dive. In the deep dive I want to take a closer look at one exploitable vulnerability in Google v8 of year 2022. Without attempting the patch analysis (which is a very different and highly non-trivial workflow), we'll first analyse the vulnerability in the code, then attempt to understand how it manifests in runtime with testing, introspection and a bit of debugging, and set up some path markers toward exploit development. Note: we won't have time for any refreshers on basic appsec theory or JavaScript engines internals in this class; make sure that you meet the pre-requisites before booking.
Topics: * The big picture: vulnerability classes/trends/patterns that affect JavaScript engines * Case studies of known vulnerabilities in JavaScript engines (C++ code level) * Vulnerability analysis for JSE - general principles and the workflow
You will learn: * What to expect when bughunting a JavaScript engine * Quickly understanding a common vulnerability class/pattern from a testcase * How to apply the knowledge about bug trends and patterns to your research project * How to go from understanding a JSE vulnerablity in code to a proof of concept testcase * What to do with a vulnerability testcase to gain further insight toward exploit development
Who should attend: * Specialized vulnerability researchers - browsers and JavaScript engines * Professional vulnerability researchers transitioning to JavaScript from other specializations * Security researchers working with or interested in JavaScript engines * JavaScript engines core developers and testers * Electron and nodejs develepers who are curious about how javascript engines work internally
Pre-requisites: * JavaScript * C++ * Linux command line * Application security concepts * Masterclass: JavaScript Engines Internals or equivalent knowledge by self-study * Self-built v8-debug on Linux (Dockerfile)
Recommended setup: * Laptop for test & exercise * Linux virtual machine (Ubuntu 18.04 LTS is used in most open source dev setups) * Large second monitor for watching the stream
Audience note: this is a medium specialized class which requires some knowledge of application security concepts as a prerequisite (such as C++ bug classes, memory corruption, etc.), as well as solid understanding of inner workings of JavaScript engines. Attendees should consider taking the JavaScript Engines Internals masterclass first to ensure getting the most of this class.
Price of each masterclass, whether live-streamed or on-demand, is 500 Euro per person, plus merchant fees.
Each masterclass would be typically live-streamed once, afterwards it may or may not be available on-demand in recording.