Chrome (Renderer) Exploitation on Android
Skill level: Intermediate
Duration: 3 or 4 days
Instructor: Filippo Morano and Vitaly Nikolenko

Course description:

Chrome, as one of the most commonly used browsers, presents an attractive target for security researchers. Playing a major role in the Android ecosystem, Chrome browser exploitation is an essential part of traditional 1-click chains. Given the rising complexity and the number of exploitation mitigations, this training attempts to address the entry barrier into browser exploitation for novice researchers.

This training focuses on the Chrome renderer exploitation (RCEs) - the first step in gaining arbitrary code execution on the device. The focus is primarily on v8 vulnerabilities and common exploitation techniques covering both 32-bit and 64-bit Chrome versions on Android 10/11. It is largely self-contained and provides a generous amount of background information required to bootstrap your own Chrome research.

Similar to our other trainings, the course is structured as several theory modules (providing the necessary background material), followed by hands-on lab exercises demonstrating learned concepts in practice. The main target for this training is 64-bit Chrome. Where applicable, any differences with 32-bit will be briefly discussed.

Prerequisites:
  • Basic JavaScript
  • C++ knowledge
  • ARM64 assembly knowledge
  • Familiarity with GDB (GNU Debugger)
Who should attend:
  • Security researchers
Hardware and software:
  • Any host OS - Windows, Linux, MacOS (x86_64)
  • Hypervisor software supporting standard OVF/OVA files
  • Rooted Android device (preferably Pixel) with at least 6GB RAM
  • At least 60GB of free disk space
  • At least 8GB of RAM
Key learning objectives:
  • Chrome internals
  • v8 exploitation
  • Common exploitation techniques
  • Chaining techniques / payloads
  • Post exploitation
Course agenda:
Day 1
  • Chrome internals overview
  • Scripting basics
  • DOM Tree
  • DOM Events
  • JavaScript engine introduction
  • JavaScript VMs and the stdlib
Day 2
  • v8 internals
  • Memory management / v8 heap
  • Usermode callbacks in JavaScript
  • Garbage Collection
Day 3
  • JIT Compilers
  • Common exploitation primitives
  • 32-bit vs 64-bit ARM exploitation
  • Building exploitation primitives
  • Renderer R/W
Day 4
  • WebAssembly basics
  • Arbitrary code execution
  • Post exploitation techniques
  • Chaining renderer RCE with a payload (sandbox escape)

FAQ
  • Why is Pixel a preferred device? Can I use a rooted Samsung device?
  • It is trivial to disable SELinux/SEAndroid on Google reference devices (i.e., setenforce 0) when demonstrating code execution in the renderer process, To demonstrate code execution we might use a reverse shell - this requires SELinux/SEAndroid to be disabled. Samsung devices, on the other hand, do not allow SELiux/SEAndroid to be disabled even if the device is rooted. selinux_enforcing (depending on the device/kernel version) is RKP-protected (read-only). If you have a rooted Samsung device you can opt for a simpler payload to execute from the isolated_app context that doesn't require SELinux/SEAndroid to be disabled. Other than that, any rooted Android device capable of running a 64-bit Chrome version should be suitable for this training.
  • Why does my device need at least 6GB RAM?
  • Technically, a 64-bit Chrome version requires at least 8GB RAM (official support) but you can still install 64-bit Chrome APKs manually. Less than 6GB might affect performance (i.e., heap grooming stability). For lab exercises we recommend using a device with at least 6GB RAM but in practice, 4GB should be sufficient.
Training Announcements

There are generally two public trainigs sessions per year (first half of the year) in Europe or Asia. You can sign up below to receive public training schedule notifications.

For a private training contact us directly.