使用Hermes的Quicksort来运行Doom:一个关于JavaScript利用的故事
At Meta, our Bug Bounty program is an important element of our “defense-in-depth” approach to security. Our internal product security teams investigate every bug submission to assess its maximum potential impact so that we can always reward external researchers based on both the bug they found and our further internal research assessment of where else the bug could lead us.
在Meta,我们的Bug Bounty计划是我们 "深入防御"安全方法的一个重要元素。我们的内部产品安全团队调查每一个提交的漏洞,以评估其最大的潜在影响,这样我们就可以根据外部研究人员发现的漏洞和我们对该漏洞可能导致的其他方面的进一步内部研究评估,随时奖励他们。
We want to share more about how this process works. To do this, we’re sharing details of an investigation into a bug report we received in August 2020 concerning Hermes, an open source JavaScript (JS) engine developed by Meta. This initial report showed a peculiar bug in Hermes’s Quicksort implementation, resulting in blind out-of-bounds (OOB) memory reads.
我们想分享更多关于这个过程是如何运作的。为此,我们将分享对2020年8月收到的一份错误报告的调查细节,该报告涉及Meta公司开发的开源JavaScript(JS)引擎Hermes。这份最初的报告显示,Hermes的Quicksort实现中存在一个奇特的错误,导致盲目的越界(OOB)内存读取。
Reports like this help us continue to improve our detection mechanisms in Hermes and across our platform. Similar findings are usually awarded between $500 and $3,000. However, further investigation demonstrated how this vulnerability could have been turned into arbitrary code execution. This resulted in a $12,000 total bounty payout.
像这样的报告有助于我们继续改进我们在Hermes和整个平台的检测机制。类似的发现通常被授予500美元至3000美元。然而,进一步的调查表明,该漏洞可能被转化为任意代码执行。这导致了12,000美元的总赏金支付。
To make things more fun, and to demonstrate the impact of what we found, we programmed our exploit to run the classic video game Doom (1993) directly from within Hermes.
为了使事情变得更有趣,并证明我们所发现的影响,我们对我们的漏洞进行了编程,以直接从Hermes中运行经典视频游戏Doom(1993)。
Hermes, a lightweight JavaScript engine
Hermes,一个轻量级的JavaScript引擎
Hermes is an open source JS engine optimized for React Native. It features ahead-of-time compilation to reduce startup time and memory usage, making it particularly suitable for mobile applications. At Meta, for example, Hermes is used to run the JS code for effects in Spark AR, our aug...