With security as one of its design fundamentals, Microsoft Edge browser is one of the most secure browsers around. How difficult is it to find remote code execution exploits in the Edge browser?
To answer this question we spent time researching various attack surfaces in the Edge browser and came away with an answer – go in through the ChakraCore engine.
We will introduce some new exploit techniques based on the features of ChakraCore itself and show how to pull off reliable heap-fengshui in the Chakra engine. We will also introduce our unpublished CFG (control flow guard) bypass methods which won Microsoft’s mitigation bypass bounty reward and demonstrate how to bypass the newly added RFG (return flow guard) mitigation introduced in windows RS2 preview.
As a bonus, we will disclose the details of several real 64-bit edge exploits, including the one we used to win PwnFest 2016 (http://pwnfest.org/).