tags:pwn2ownmethodologyinterview original link: exploits.club Weekly Newsletter 20 - Special @_manfp Edition newsletter link: exploits.club Weekly Newsletter 20 - Special @_manfp Edition
Exploits Club Summary:
How long have you been doing vuln research? How much of that time has been dedicated towards browser research?
My official first CVE was in 2019 - I found a Ghostscript bug during GoogleCTF. I totally thought that this was the intended solution (it wasnāt), but I still suspect it might have been easier than solving the actual challenge!
Then, in 2020, I started looking at the Linux kernel a bit just for fun, because the eBPF JIT compiler interested me. To my surprise, I found a bug - my first Pwn2Own participation! After Pwn2Own 2021 (again Linux) I started focusing a bit more on browsers; the jump from eBPF JIT to JavaScript JIT isnāt necessarily that huge. Since then, Iāve mostly been doing that (though Iām keeping my eyes open for other targets!).
I heard through the grapevine that you found and exploited all the P2O bugs in just three months? Is that true?
In a literal sense, itās true - I didnāt have any bug when the year started. I did however put in some work a couple of weeks or months before that - sometimes, looking at code gains understanding that is then useful at a later point, even if I donāt find any concrete bug. And also thereās just (un)lucky streaks sometimes - itās all probabilistic.
Over those three months, what did your routine look like? Did you tend to focus on one target until you had a working exploit, or bounce around?
They were certainly intense months. Itās not like I did absolutely nothing else, but I think I pushed myself pretty hard - having something for all browsers at one Pwn2Own was kind of a pipe dream I had in the back of my head, so with each bug the motivation to find something for the other ones only increased! I definitely bounced around between targets a lot - it helps with not getting frustrated during periods where I donāt find anything.
What methodology did you use to find the bugs?
So far, Iāve found 100% of my bugs with manual code-review. Fuzzing is great, but itās also what so many people are doing - I think I tend to find the bugs that fuzzers have a hard time with, like for example if you need a really complicated and precise JavaScript expression to trigger something. One other benefit of reading a lot of code is that it helps with exploitation, or even just deciding if something is likely to be exploitable! That being said, getting into fuzzing or other more automated approaches is definitely something Iām considering for the future.
For code review, I tend to just follow my intuition about what parts of the code seem dangerous or interesting to me - if it engages my curiosity, Iām way more likely to find a bug. I mostly donāt look a lot at specific previous bugs (except for getting a general understanding of different methods or dangerous areas) - going in somewhat blind means I donāt subconsciously believe that everything has already been found, so I feel like that way I make less assumptions about the code being correct.
What advice do you have for others looking to get into vuln research?
I can of course only comment on my personal experience - learning skills is something very individual. That said, my three pieces of advice would be: 1. Play CTFs - thatās where I learned nearly everything about finding and exploiting bugs. And itās also just a lot of fun! 2. If possible, find a team to play them with. Especially if youāre able to meet up (or travel to finals), it can be such a huge motivation. Iāve been lucky to play with some experienced teammates, and they taught me a lot (and still do from time to time!) 3. Donāt be afraid to look at real-world software. Read some writeups - if youāre able to generally understand some bugs, then youāre probably able to find them, given enough time. It gets a bit easier, but convincing myself that I have a chance of finding something is still one of the hardest parts of vulnerability research!
Who are some other researchers you look up to?
A hard question because there are so many (it doesnāt help that Iām terrible with names!). Generally speaking, I have a huge respect for all the people who found all those clever techniques we build on today. Also, everyone who writes great writeups or gives talks about their (or other peopleās!) bugs and techniques - thatās work Iāve relied on so often! And letās not forget the defensive side - finding bugs tends to get a lot of the glory, but in the end itās the people who fix stuff and build mitigations who ultimately keep people secure.
Favorite (public) bug of all time? Can be your own or someone elseās.
Another hard one, Iām sure Iām forgetting some really cool ones. Of the top of my head, it might be the expm1 v8 typer one (https://abiondo.me/2019/01/02/exploiting-math-expm1-v8/) - when I first read about it, going from āa function can return -0ā to RCE felt like pure magic.
Where do you see the field of vuln research headed in the future? Should we all jump ship before we are unemployed, or is memory corruption here to stay?
Not sure about memory corruption bugs specifically (though those will probably be around for a while tooā¦), but Iām fairly certain vulnerability research is here to stay. For my own bugs, memory corruptions tends to be more a symptom than the root cause, which is more often than not a plain old logic bug in the JIT compiler - using Rust wonāt help very much there! All those mitigations that are being added do often make things a bit more āinterestingā however - but that also just means thereās methods for circumventing them that need finding!
Should we expect to see you back on stage to defend your title for P2O 2025?
Itās too early to say - while my immediate plans are to continue doing some independent research, there might also be a point where Iāll be looking for something a bit more stable. But if Iām back, donāt expect me to cling too much to that trophy - winning it required a lot of luck, hard work (and sadly, misfortune for another team), which Iām not certain I could repeat a second time. A few months ago I wouldnāt have dreamt of even having a shot at master of pwn - so even if that were to remain the only time, Iād still be very happy with it!