Sharing another V8 Sandbox design document more widely: docs.google.com/document/d/1CP…
This one discusses how to protect code pointers - probably the most performance sensitive part touched by the sandbox - with (almost) no performance overhead.

😍 New RCA! The v8 security team is at it again with a new RCA for CVE-2022-4262, the #itw0days patched in December 2022. I really like how they modified the fuzzing flag to better find this class of bugs! Thank you Samuel Groß! 🔥

googleprojectzero.github.io/0days-in-the-w…

💫New RCA from Samuel Groß on CVE-2022-3723, a logic issue in Chrome's Turbofan JIT compiler.

googleprojectzero.github.io/0days-in-the-w…

These #Phrack articles by Samuel Groß are the best primers on attacking #JavaScript engines

A case study of JavaScriptCore and CVE-2016-4622
phrack.org/issues/70/3.ht…

#Exploiting Logic #Bugs in JavaScript JIT Engines
phrack.org/issues/70/9.ht…

Fuzzilli (github.com/googleprojectz…), the great coverage-guided fuzzer for dynamic language interpreters based on a custom intermediate language built by Samuel Groß, is finally documented in a paper. You can find the paper at ndss-symposium.org/ndss-paper/fuz…

With github.com/googleprojectz… Fuzzilli now finally has a (supported) JavaScript-to-FuzzIL compiler, making it possible to import and mutate existing JavaScript code. It's not feature complete (contributions welcome!) but should support the most important things. Happy Fuzzing!

We just released Fuzzilli v0.9.3: github.com/googleprojectz…

... and more cool stuff is coming soon :)

Happy Fuzzing!

Here are some slides about the V8 Sandboxing project that I prepared for an internal talk but figured I could also share more widely: docs.google.com/presentation/d…

Some fun bugs found by Fuzzilli's new ProbingMutator (github.com/googleprojectz…):
- bugs.chromium.org/p/chromium/iss…
- bugzilla.mozilla.org/show_bug.cgi?i…
While these particular bugs don't have security impact, it's nice to see that Fuzzilli can now find these 2016-era JS engine bugs fairly easily.

Now also @[email protected] :)

I’m really excited for us to shed light on some really cool work we’ve been doing to harden the XNU allocator! This has been a huge effort by so many people, and I’m very proud of the direction: security.apple.com/blog/towards-t…

After > 2 years it's time for a new Fuzzilli release: github.com/googleprojectz… :)

A new 'ExplorationMutator' for Fuzzilli: github.com/googleprojectz…

This mutator allows better selection of 'useful' actions to perform on existing values and objects in the mutated program.

Happy fuzzing!

I‘ll be at #BHUSA for the next three days. Come say hi if you see me around! :)

New V8 Sandbox design document on how to sandboxify pointers to objects outside the sandbox such as DOM nodes ('external pointers'): docs.google.com/document/d/1V3…

Excited to publish my writeup of a novel iOS in-the-wild exploit: The curious case of the fake Carrier .app: googleprojectzero.blogspot.com/2022/06/curiou…