We added this fuzzer some time last year: https://github.com/googleprojectzero/fuzzilli/blob/700f669a1d38b787968229f7d7ab2a4d0a7bf2b7/Sources/FuzzilliCli/Profiles/V8Profile.swift#L278 and it found another handful of issues fairly quickly, but nothing ever since. I don't think there is too much room for improvement there. ValueSerializer is an attack surface in Chrome as it potentially allows for a site isolation bypass if a compromised renderer process can compromise other renderer processes by sending malicious ValueSerializer data.
Cheers! Samuel On Fri, Jun 30, 2023 at 11:33 AM Leszek Swirski <lesz...@chromium.org> wrote: > +sa...@chromium.org <sa...@chromium.org>, do we have good fuzzing for > ValueDeserializer? If not, should we expand it? > > On Thu, Jun 29, 2023 at 9:05 PM Ben Noordhuis <i...@bnoordhuis.nl> wrote: > >> On Thu, Jun 29, 2023 at 4:28 PM 'Kenton Varda' via v8-dev >> <v8-dev@googlegroups.com> wrote: >> > >> > Hi v8-dev, >> > >> > We (Cloudflare Workers team) are wondering how V8 feels about the >> security of the ValueDeserializer API. Do you believe it's safe to parse >> possibly-malicious input with this? My understanding is that Chrome does >> not provide any way to input attacker-controlled bytes to the API today, so >> wasn't sure if it's designed for that. >> > >> > I ask because we'd like to expose V8 serialization in Cloudflare >> Workers for compatibility with Node.js, which already exposes this. But our >> threat model is very different from Node, such that we care a lot more >> about the security of the V8 sandbox. >> > >> > Relatedly, is ValueDeserializer covered by fuzzing today? >> > >> > Thanks, >> > -Kenton >> >> Single data point but I got paid $15k last year for >> https://bugs.chromium.org/p/chromium/issues/detail?id=1339648 so on >> the one hand, it's great it's covered by the VRP program, on the other >> hand I wasn't even actively looking and still stumbled upon a fairly >> critical bug. Probably a risky bet in a multi-tenant system like >> Workers. >> >> (I realize "VRP program" is like saying "ATM machine" but I still do it.) >> >> -- >> -- >> v8-dev mailing list >> v8-dev@googlegroups.com >> http://groups.google.com/group/v8-dev >> --- >> You received this message because you are subscribed to the Google Groups >> "v8-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to v8-dev+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/v8-dev/CAHQurc89pAEYYq_zNjiMjEVmdoXmV4Ao39ZfrqhcpCY09mX3SQ%40mail.gmail.com >> . >> > -- -- v8-dev mailing list v8-dev@googlegroups.com http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to v8-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/v8-dev/CAMyKh9dOED%2BmZ1R95pM_CFJUBeA92qFVSCZO4Tn%2BJ2xwNA%3DPtA%40mail.gmail.com.
