tags:pwn2ownmethodologyinterview original link: exploits.club Weekly Newsletter 20 - Special @_manfp Edition newsletter link: exploits.club Weekly Newsletter 20 - Special @_manfp Edition


Exploits Club Summary:

How long have you been doing vuln research? How much of that time has been dedicated towards browser research?

My official first CVE was in 2019 - I found a Ghostscript bug during GoogleCTF. I totally thought that this was the intended solution (it wasnā€™t), but I still suspect it might have been easier than solving the actual challenge!

Then, in 2020, I started looking at the Linux kernel a bit just for fun, because the eBPF JIT compiler interested me. To my surprise, I found a bug - my first Pwn2Own participation! After Pwn2Own 2021 (again Linux) I started focusing a bit more on browsers; the jump from eBPF JIT to JavaScript JIT isnā€™t necessarily that huge. Since then, Iā€™ve mostly been doing that (though Iā€™m keeping my eyes open for other targets!).

I heard through the grapevine that you found and exploited all the P2O bugs in just three months? Is that true?

In a literal sense, itā€™s true - I didnā€™t have any bug when the year started. I did however put in some work a couple of weeks or months before that - sometimes, looking at code gains understanding that is then useful at a later point, even if I donā€™t find any concrete bug. And also thereā€™s just (un)lucky streaks sometimes - itā€™s all probabilistic.

Over those three months, what did your routine look like? Did you tend to focus on one target until you had a working exploit, or bounce around?

They were certainly intense months. Itā€™s not like I did absolutely nothing else, but I think I pushed myself pretty hard - having something for all browsers at one Pwn2Own was kind of a pipe dream I had in the back of my head, so with each bug the motivation to find something for the other ones only increased! I definitely bounced around between targets a lot - it helps with not getting frustrated during periods where I donā€™t find anything.

What methodology did you use to find the bugs?

So far, Iā€™ve found 100% of my bugs with manual code-review. Fuzzing is great, but itā€™s also what so many people are doing - I think I tend to find the bugs that fuzzers have a hard time with, like for example if you need a really complicated and precise JavaScript expression to trigger something. One other benefit of reading a lot of code is that it helps with exploitation, or even just deciding if something is likely to be exploitable! That being said, getting into fuzzing or other more automated approaches is definitely something Iā€™m considering for the future.

For code review, I tend to just follow my intuition about what parts of the code seem dangerous or interesting to me - if it engages my curiosity, Iā€™m way more likely to find a bug. I mostly donā€™t look a lot at specific previous bugs (except for getting a general understanding of different methods or dangerous areas) - going in somewhat blind means I donā€™t subconsciously believe that everything has already been found, so I feel like that way I make less assumptions about the code being correct.

What advice do you have for others looking to get into vuln research?

I can of course only comment on my personal experience - learning skills is something very individual. That said, my three pieces of advice would be: 1. Play CTFs - thatā€™s where I learned nearly everything about finding and exploiting bugs. And itā€™s also just a lot of fun! 2. If possible, find a team to play them with. Especially if youā€™re able to meet up (or travel to finals), it can be such a huge motivation. Iā€™ve been lucky to play with some experienced teammates, and they taught me a lot (and still do from time to time!) 3. Donā€™t be afraid to look at real-world software. Read some writeups - if youā€™re able to generally understand some bugs, then youā€™re probably able to find them, given enough time. It gets a bit easier, but convincing myself that I have a chance of finding something is still one of the hardest parts of vulnerability research!

Who are some other researchers you look up to?

A hard question because there are so many (it doesnā€™t help that Iā€™m terrible with names!). Generally speaking, I have a huge respect for all the people who found all those clever techniques we build on today. Also, everyone who writes great writeups or gives talks about their (or other peopleā€™s!) bugs and techniques - thatā€™s work Iā€™ve relied on so often! And letā€™s not forget the defensive side - finding bugs tends to get a lot of the glory, but in the end itā€™s the people who fix stuff and build mitigations who ultimately keep people secure.

Favorite (public) bug of all time? Can be your own or someone elseā€™s.

Another hard one, Iā€™m sure Iā€™m forgetting some really cool ones. Of the top of my head, it might be the expm1 v8 typer one (https://abiondo.me/2019/01/02/exploiting-math-expm1-v8/) - when I first read about it, going from ā€œa function can return -0ā€ to RCE felt like pure magic.

Where do you see the field of vuln research headed in the future? Should we all jump ship before we are unemployed, or is memory corruption here to stay?

Not sure about memory corruption bugs specifically (though those will probably be around for a while tooā€¦), but Iā€™m fairly certain vulnerability research is here to stay. For my own bugs, memory corruptions tends to be more a symptom than the root cause, which is more often than not a plain old logic bug in the JIT compiler - using Rust wonā€™t help very much there! All those mitigations that are being added do often make things a bit more ā€œinterestingā€ however - but that also just means thereā€™s methods for circumventing them that need finding!

Should we expect to see you back on stage to defend your title for P2O 2025?

Itā€™s too early to say - while my immediate plans are to continue doing some independent research, there might also be a point where Iā€™ll be looking for something a bit more stable. But if Iā€™m back, donā€™t expect me to cling too much to that trophy - winning it required a lot of luck, hard work (and sadly, misfortune for another team), which Iā€™m not certain I could repeat a second time. A few months ago I wouldnā€™t have dreamt of even having a shot at master of pwn - so even if that were to remain the only time, Iā€™d still be very happy with it!