These are some resources I've gathered while trying to learn V8 internals (with a security focus), feel free to fork the repo and make you're own progress 👍.
- Phrack: Exploiting Logic Bugs in JavaScript JIT Engines ✅
- Phrack: Allocating new exploits
- Pointer Compression in V8 ✅
- Notes about GraphReducer in V8 ✅
- Redundancy Elimination Reducer in V8 and 34C3 CTF V9 ✅
- Understanding V8’s Bytecode ✅
- What's up with monomorphism? ✅
- Explaining JavaScript VMs in JavaScript - Inline Caches ✅
- Abusing Liftoff assembly and efficiently escaping from sbx ✅
- JavaScript Bytecode – v8 Ignition Instructions ✅
- In-the-Wild Series: Chrome Infinity Bug
- Rooting Samsung Q60T Smart TV
- TheHole New World - how a small leak will sink a great browser (CVE-2021-38003) ✅
- From Leaking TheHole to Chrome Renderer RCE ✅
- The Chromium super (inline cache) type confusion
- Attack of the clones: Getting RCE in Chrome’s renderer with duplicate object properties
- From object transition to RCE in the Chrome renderer
- Getting RCE in Chrome with incomplete object initialization in the Maglev compiler
- Zooming in on CVE‑2024‑7965
- Google Chrome V8 CVE-2024-0517 Out-of-Bounds Write Code Execution
- Google Chrome V8 ArrayShift Race Condition Remote Code Execution
- Exploiting the Magellan bug on 64-bit Chrome Desktop
- Sea of Nodes
- Modern attacks on the Chrome browser : optimizations and deoptimizations
- Circumventing Chrome's hardening of typer bugs
- CVE-2024-2887: A Pwn2Own Winning Bug in Google Chrome
- Code Execution in Chromium’s V8 Heap Sandbox ✅
- Root Cause Analysis of CVE-2021-21224
- Exploring Historical V8 Heap Sandbox Escapes I
- A Bug's Life: CVE-2021-21225
- Exploiting CVE-2021-21225 and disabling W^X
- V8: Behind the Scenes (February Edition feat. A tale of TurboFan)
- Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals
- V8 Heap pwn and /dev/memes - WebOS Root LPE
- From the Vulnerability to the Victory: A Chrome Renderer 1-Day Exploit’s Journey to v8CTF Glory ✅
- Understand WebAssembly in One Article
- Zero-cost async stack traces
- V8 Sandbox ✅
- V8 Sandbox - Address Space ✅
- V8 Sandbox - External Pointer Sandboxing
- V8 Sandbox - Code Pointer Sandboxing ✅
- V8 Sandbox - Trusted Space
- V8 Sandbox - Sandboxed Pointers
- V8 Sandbox - Hardware Support ✅
- Const tracking lets ✅
- V8 Sandbox + Leaptiering
- Elements kinds in V8 ✅
- Stack trace API ✅
- Pointer Compression in V8
- Optimizing ES2015 proxies in V8
- There’s Math.random(), and then there’s Math.random()
- V8 Torque user manual ✅
- Taming architecture complexity in V8 — the CodeStubAssembler ✅
- V8 Torque builtins
- CodeStubAssembler builtins
- Control-flow Integrity in V8 ✅
- The V8 Sandbox ✅
- Embedded builtins
- Built-in functions ✅
- Investigating memory leaks
- A deep dive into Linux’s new mseal syscall ✅
- Scope in ECMAScript
- Summary of WebAssembly Security Research
- Mind the v8 patch gap: Electron's Context Isolation is insecure
- CHECK(), DCHECK() and NOTREACHED() ✅
- CVE-2024-0517 Chrome V8 Out of Bounds Write
- CVE-2024-0517 (Out of Bounds Write in V8)
- Allocation Folding Based on Dominance
- CovRL: Fuzzing JavaScript Engines with Coverage-Guided Reinforcement Learning for LLM-based Mutation
- CVE-2024-5274: A Minor Flaw in V8 Parser Leading to Catastrophes
- Don't Follow The Masses: Bug Hunting in JavaScript Engines
- V8 CVE-2021-21224 Renderer RCE Root Cause Analysis
- Overview of WebAssembly Type Confusion in JavaScript Engines Exploitation
- Exploit Development: Browser Exploitation on Windows - Understanding Use-After-Free Vulnerabilities
- Exploit Development: Browser Exploitation on Windows - CVE-2019-0567, A Microsoft Edge Type Confusion Vulnerability
- A Brief JavaScriptCore RCE Story
- V8 Deep Dives: Understanding Map Internals ✅
- V8 function optimization
- V8 Optimize: Reduce Node && Inline
- V8 Optimize: FrameState
- HackTheBox - Rope2 ✅
- JavaScript Engines: The Good Parts™ - Mathias Bynens & Benedikt Meurer - JSConf EU 2018 ✅
- Franziska Hinkelmann: JavaScript engines - how do they even? | JSConf EU ✅
- Attacking Turbofan TyphoonCon 2019 - Seoul ✅
- Achilles' Heel of JS Engines: Exploiting Modern Browsers During WASM Execution
- TurboFan JIT Design
- Turbofan IR
- WebAssembly Is All You Need - Exploiting Chrome and the V8 Sandbox 10+ times with WASM
- Chrome Browser Exploitation: from zero to heap sandbox escape ✅
- OffensiveCon24 - Samuel Groß - The V8 Heap Sandbox
- Attacking V8, Ayman - BSides Canberra 2024
- Introduction to JavaScript and V8 for Browser Exploitation
- Fuzzing for complex bugs across languages in JS Engines
- Fake it till you make it: Bypassing V8 Sandbox by constructing a fake Isolate
- Practical Exploitation of Math.random on V8 ✅
- Fuzzing Javascript Engines for Fun and Pwnage - Areum Lee & Jeonghoon Shin
- Exploiting v8: *CTF 2019 oob-v8 ✅
- DownUnderCTF 2020: Is this pwn or web? ✅
- Exploiting V8 at openECSC ✅
- Introduction to TurboFan ✅
- Turboflan PicoCTF 2021 Writeup (v8 + introductory turbofan pwnable) ✅
- Exploiting Chrome V8: Krautflare (35C3 CTF 2018)
- Exploiting the Math.expm1 typing bug in V8
- Start Your Engines - Capturing the First Flag in Google's New v8CTF
- openECSC 2024 - Final Round: Backfired
- DiceCTF 2022 - memory hole ✅
- Dice CTF Memory Hole: Breaking V8 Heap Sandbox
- Google CTF 2022 d8: From V8 Bytecode to Code Execution
- Breaking V8 Sandbox with Trusted Pointer Table
- KITCTFCTF 2022 V8 Heap Sandbox Escape ✅
- Writeup for v8box ✅
- HITCON CTF 2022 -- Fourchain - Browser
- ASIS CTF Finals 2023: isWebP.js
- BackdoorCTF 2024 - V8Box ✅
- corCTF 2021 - outfoxed
- v8 CTF out of bounds 2019: Installing v8 Part 1
- v8 CTF out of bounds 2019 Part 2: What they don’t tell you about setting up your GDB.
- Super Hat Trick: Exploit Chrome and Firefox Four Times ✅
- An Intermediate Representation for Speculative Optimizations in a Dynamic Compiler
- V8 debug session
- V8 gdbinit
- v8 - stackoverflow
- issues.chromium.org V8 sandbox hotlist
- issues.chromium.org status:open type:vulnerability
- Index of chromium-browser-snapshots/
P.S: Note that I don't support Google, nor do I condone Google’s support of Israel in its ethnic cleansing of Palestinian people. This is simply me researching an open-source project that is widely used in various applications.
P.S.S: The articles listed above are included solely for their technical content; the views, backgrounds, or actions of the authors do not reflect my endorsement.