Slides

Logic Bug Hunting in Chrome on Android

Memory corruption exploits are requiring greater and greater investment in time and effort to bypass the latest mitigations in applications like Chrome and the underlying operating system. When combined with the competition of everyone in the world running a fuzzer, it becomes hard to find and keep unique bugs.

Instead we talked about logic flaws - bugs or simply "features" - that enable the attacker to achieve the same goals without fighting the latest and greatest exploit mitigations. We discussed the methodology we use for reviewing products and identifying flaws as well as the process of exploiting them. This involves, among other things, developing better understanding and gaining deeper knowledge of a target and identifying security boundaries that usually give rise to assumptions about security checks performed on both sides.

In our example we showed how a logic bug in Chrome for Android allows an attacker to completely bypass Android Nougat security to access the user's files, emails and even install applications without the need for a single memory corruption bug.