From Zero to Zero Day

Jonathan Jacobi

Playlists: '35c3' videos starting here / audio / related events

In this talk I will share my story of how in a little over a year, a high school student with almost zero knowledge in security research found his first RCE in Edge.

After starting my BSc in CS and Math I picked up a new hobby: solving coding challenges. The next logical step was to try harder challenges, which lead me to participate in CTF competitions. During these CTFs I found that I’m fascinated by vulnerabilities: finding mistakes or things that developers failed to think through. This is how I started going down the rabbit hole.

Fast forward a year later, I found my first 0-day, a critical RCE in Edge. To understand it, we will review the recent trend of JIT Type Confusion vulnerabilities in ChakraCore. I will talk about the vulnerability I found, explain how I discovered it and show similar vulnerabilities recently found by other researchers. Finally, I will demo a working exploit of this vulnerability.

This session could be helpful both for people interested in getting into the security field, and for experienced security researchers who want to learn more about browser vulnerabilities and exploitation.


These files contain multiple languages.

This Talk was translated into multiple languages. The files available for download contain all languages as separate audio-tracks. Most desktop video players allow you to choose between them.

Please look for "audio tracks" in your desktop video player.