Logic Bug Hunting in Chrome on Android

Author(s): Georgi Geshev
Rober Miller
Category: Vulnerability Development
Duration: 45
Summary: Memory corruption exploits are requiring greater and greater investment in time and effort to bypass the latest mitigations in applications like Chrome and the underlying operating system. When combined with the competition of everyone in the world running a fuzzer, it becomes hard to find and keep unique bugs.

Instead we want to talk about logic flaws - bugs or simply "features" - that enable the attacker to achieve the same goals without fighting the latest and greatest exploit mitigations. We will show the methodology we use for reviewing products and identifying flaws as well as the process of exploiting them. This involves, among other things, developing better understanding and gaining deeper knowledge of a target and identifying security boundaries that usually give rise to assumptions about security checks performed on both sides.

In our example we will show how a logic bug in Chrome for Android allows an attacker to completely bypass Android Nougat security to access the user's files, emails and even install applications without the need for a single memory corruption bug.

Likes: 1



Android exploits aren't going out of style any time soon.


New methodologies for looking at an oft-ignored bug class; nice change of pace from the fuzzing boredom