Author: Haifei Li
This research mainly answered two questions: 1) What are the inner mechanisms that cause Flash JIT-level vulnerabilities? 2) How to exploit them on modern operating systems? The answer to the first question lies in the way JIT engine performs the “verification process” (or the “bytecode verifier”) of the program flow, which is not error-proof. Those errors enable potential exploitation situations. To answer the second question, the author introduced a situation deemed “Type/Atom Confusion”. Then a novel technique called “IEEE-754 trick” was provided to read memory from the process when type confusion happens. Armed with those, Haifei Li was able to exploit Flash ActionScript JIT-level vulnerabilities on modern operating systems like Windows 7, bypassing both ASLR and DEP.