The Mysterious Realm of JavaScriptCore (2021)
7 days ago
- #JavaScriptCore
- #BrowserSecurity
- #CodeQL
- JavaScriptCore (JSC) is the JavaScript engine used by Safari, Mail, App Store, and other macOS apps.
- JSC executes JavaScript code in four tiers: LLInt, Baseline JIT, DFG JIT, and FTL JIT, each with increasing optimization levels.
- Bad side effect modeling in JSC can lead to vulnerabilities, such as CVE-2018-4233, which was exploited in pwn2own 2018.
- CodeQL can be used to find vulnerabilities in JSC by analyzing side effect modeling and linking opcodes to operations.
- The blog post details a journey of exploring JSC internals and using CodeQL to uncover critical vulnerabilities.