Home / Company News / Make an appearance Black Hat Asia 2023, 360 Publicly release research results on heavyweight vulnerabilities

Make an appearance Black Hat Asia 2023, 360 Publicly release research results on heavyweight vulnerabilities

recently, Black Hat Asia 2023 (Asian Black Hat Conference) Opening the curtain as scheduled in Singapore. As recognized as the highest event in the world's information security industry, Black Hat Every year, the latest safety research results are continuously transmitted to the outside world, Innovative technology and other cutting-edge information, It is the best window to showcase the trend of global security development.

since 2014 Starting from, 360 Has been on the board for ten consecutive years Black Hat The Stage of the Global Black Hat Conference, In this year's Black Hat Aisa At the conference, 360 Digital security Group was invited again, those under one's command 360 Security experts from the Vulnerability Research Institute announced, They developed a grammar variation based on syntax tree and context analysis Fuzz, In order to Chrome Find in WebSQL High risk vulnerabilities.

They expressed that: "along with Chrome Gradually adapting to tradition RCE Attack surface (V8 and Blink) Added mitigation mechanisms, Greatly increase the difficulty of the attack, Therefore, by WebSQL API By attacking the underlying layer SQLite Engine to attack Chrome Received our attention again. since 2020 Since the beginning of the year, ours Fuzzer Discovered the vast majority Chrome WebSQL loophole, Including multiple post release vulnerabilities, Stack overflow and out of bounds read and write vulnerabilities. "

In this speech, They provided a detailed introduction to the Fuzzer Working principle and advantages of, Including ensuring the validity of grammar by constructing a complete grammar tree, Guiding mutation strategies through contextual analysis, Achieve better semantic validity, And achieve better seed screening mechanism and coverage guided tree node mutation method.

although Chrome WebSQL The whitelist of has been enhanced, 2020 Years later Chrome In WebSQL Significant reduction in vulnerabilities, But the Fuzzer Continuously discovering new high-risk areas WebSQL loophole. These vulnerabilities may lead to arbitrary address reading, Impact of stack overflow and out of bounds writes, These vulnerabilities allow for complete control of memory layout, Hijacking some registers, Implement arbitrary address reading, Causing information leakage, It can even achieve remote code execution (RCE) .

They also emphasized that, SQLite stay Chrome Middle is an easily overlooked weakness, Introducing third-party libraries always comes with some security risks. The Fuzzer Can be improved SQL Fuzzer Grammatical and semantic validity of, To discover more SQLite loophole. They expressed that, The Fuzz The method is applicable to all grammar class targets, By constructing the required contextual analysis for different goals, You can use this set Fuzzer Apply to more platforms or targets.

In this year's Black Hat Asia in, 360 This highly valuable security achievement submitted by the Vulnerability Research Institute, Once again showcasing the flourishing pulse of China's security forces to the world. Prior to this, 360 The Vulnerability Research Institute has repeatedly shaken the world with its security capabilities, Not only becoming Microsoft MSRC, Tu Bang in international awards such as the Tianfu Cup "Frequent customers" , Also honored as China's first "The Pwnie Awards" Epic level achievement award and best empowerment loophole award, And it has been awarded the annual report of Google's official vulnerability reward program for many consecutive years (VRP) Public thanks.

As a leader in digital security, 360 Digital security Group will continue to follow the policy, standard, testing, repair, Actively promoting emergency response and other aspects, Deeply cultivate innovative technologies, Perceived vulnerability risk, Seeing security threats, Make more contributions to promoting high-quality development of digital security.