Attacking Chrome IPC

Reliably finding bugs to escape the Chrome sandbox


Playlists: '35c3' videos starting here / audio / related events

In this talk, I discuss how to reliably find bugs in the Chrome IPC system with the goal of escaping the sandbox. I show how to enumerate the attack surface, how to identify the weak areas, and how to fuzz those areas efficiently to consistently produce bugs.

Since the win32k lockdown on the Chrome renderer process, full chain Chrome exploits on Windows have become very rare, with the most recent successful competition exploit occurring in 2015.

By applying new fuzzing strategies, I was able to identify many vulnerabilities in the sandbox in the past year, one of which I used to demonstrate a full chain exploit at Hack2Win this year when combined with a teammate's RCE bug.

In this talk I hope to show how I found these bugs by using extremely targeted fuzzing in a way that was easy to setup but reliably had great results, and briefly cover how we leveraged one use after free bug to fully escape the sandbox.


These files contain multiple languages.

This Talk was translated into multiple languages. The files available for download contain all languages as separate audio-tracks. Most desktop video players allow you to choose between them.

Please look for "audio tracks" in your desktop video player.