Make an appearance Black Hat Asia 2023, 360 Publicly release research results on heavyweight vulnerabilities
recently, Black Hat Asia 2023 (Asian Black Hat Conference) Opening the curtain as scheduled in Singapore. As recognized as the highest event in the world's information security industry, Black Hat Every year, the latest safety research results are continuously transmitted to the outside world, Innovative technology and other cutting-edge information, It is the best window to showcase the trend of global security development.
since 2014 Starting from, 360 Has been on the board for ten consecutive years Black Hat The Stage of the Global Black Hat Conference, In this year's Black Hat Aisa At the conference, 360 Digital security Group was invited again, those under one's command 360 Security experts from the Vulnerability Research Institute announced, They developed a grammar variation based on syntax tree and context analysis Fuzz, In order to Chrome Find in WebSQL High risk vulnerabilities.
They expressed that: "along with Chrome Gradually adapting to tradition RCE Attack surface (V8 and Blink) Added mitigation mechanisms, Greatly increase the difficulty of the attack, Therefore, by WebSQL API By attacking the underlying layer SQLite Engine to attack Chrome Received our attention again. since 2020 Since the beginning of the year, ours Fuzzer Discovered the vast majority Chrome WebSQL loophole, Including multiple post release vulnerabilities, Stack overflow and out of bounds read and write vulnerabilities. "
In this speech, They provided a detailed introduction to the Fuzzer Working principle and advantages of, Including ensuring the validity of grammar by constructing a complete grammar tree, Guiding mutation strategies through contextual analysis, Achieve better semantic validity, And achieve better seed screening mechanism and coverage guided tree node mutation method.
although Chrome WebSQL The whitelist of has been enhanced, 2020 Years later Chrome In WebSQL Significant reduction in vulnerabilities, But the Fuzzer Continuously discovering new high-risk areas WebSQL loophole. These vulnerabilities may lead to arbitrary address reading, Impact of stack overflow and out of bounds writes, These vulnerabilities allow for complete control of memory layout, Hijacking some registers, Implement arbitrary address reading, Causing information leakage, It can even achieve remote code execution (RCE) .
They also emphasized that, SQLite stay Chrome Middle is an easily overlooked weakness, Introducing third-party libraries always comes with some security risks. The Fuzzer Can be improved SQL Fuzzer Grammatical and semantic validity of, To discover more SQLite loophole. They expressed that, The Fuzz The method is applicable to all grammar class targets, By constructing the required contextual analysis for different goals, You can use this set Fuzzer Apply to more platforms or targets.
In this year's Black Hat Asia in, 360 This highly valuable security achievement submitted by the Vulnerability Research Institute, Once again showcasing the flourishing pulse of China's security forces to the world. Prior to this, 360 The Vulnerability Research Institute has repeatedly shaken the world with its security capabilities, Not only becoming Microsoft MSRC, Tu Bang in international awards such as the Tianfu Cup "Frequent customers" , Also honored as China's first "The Pwnie Awards" Epic level achievement award and best empowerment loophole award, And it has been awarded the annual report of Google's official vulnerability reward program for many consecutive years (VRP) Public thanks.
-
Classification of this article: Company News
-
Article label:
-
Number of views: 2541 Views
-
Link to this article: https: //www. fangcloud. com/cms/gsxw/775. html
Popular recommendations
- 360 Fangcloud AI 增值服务上线, 超大限时优惠等你来!
- 同事离职前删光了所有资料. . . 幸好我提前留了一手!
- 3 天的工作量缩减到 10 分钟, 学会这招汇报工作不要太简单!
- 华诺科技与 360 FangcloudAchieving strategic cooperation, 共推 AI 大模型产业化落地
- 深耕 "人工智能安全" 三六零获评 2023 年北京 "隐形冠军" 企业
- in国人民university, in国科学院university等众多客户签约 360 Fangcloud
- 领航 AI 时代, 360 双Products入选in国信通院 AI 原生技术and应用优秀案例
- 世界 500 强建发集团those under one's command核心企业联发集团, 选择 360 Fangcloud
- in国信通院联合三六零启动大模型standard制定, 筑牢人工智能安全防线
- 如何与 200 同事协同编辑同一文件? 3 步开挂!