Mastodawn

In my recent conference talks on browser security, I showed a calc-popping exploit demo that targets Firefox 135.0. For educational purposes, to try to demistify some of that calc popping magic, the demo code is now public https://project-zero.issues.chromium.org/issues/389079450#comment7

Project Zero

Ivan Fratric Jun 11

Last week, I gave a talk on web browser security research at a student-organized conference. I tried to make the talk reasonably beginner-friendly, so the slides (linked here) could hopefully be useful to someone as a learning resource. https://docs.google.com/presentation/d/1rEPiqV0KBHAI0lVym283OHzYRXNCCuGudmDby1Z1qyc/edit?usp=sharing

Intro to Browser Security Research

How to Find Vulnerabilities in Web Browsers (An Introduction to Web Browser Security Research) Ivan Fratrić, Google Project Zero 2025

Google Docs

Ivan Fratric May 20

...and now the video of my talk "Finding and Exploiting 20-year-old bugs in Web Browsers" is live too https://www.youtube.com/watch?v=U1kc7fcF5Ao

OffensiveCon25 - Ivan Fratric - Finding and Exploiting 20-Year-Old Bugs in Web Browsers

YouTube

Ivan Fratric May 19

The slides for my OffensiveCon talk "Finding and Exploiting 20-year-old bugs in Web Browsers" https://docs.google.com/presentation/d/1pAosPlKUw4uI5lfg7FVheTZAtI5mUy8iDeE4znprV34/edit?usp=sharing

Finding and Exploiting 20-year-old bugs in Web Browsers

Finding and Exploiting 20-year-old bugs in Web Browsers Ivan Fratric, Google Project Zero OffensiveCon 2025 Thank the audience for having the patience for another talk

Google Docs

Ivan Fratric May 9

dillonfranke May 9

Thrilled to announce my new Project Zero blog post is LIVE! 🎉 I detail my knowledge-driven fuzzing process to find sandbox escape vulnerabilities in CoreAudio on MacOS.

I'll talk about this and the exploitation process next week
@offensive_con

https://googleprojectzero.blogspot.com/2025/05/breaking-sound-barrier-part-i-fuzzing.html

Breaking the Sound Barrier Part I: Fuzzing CoreAudio with Mach Messages

Guest post by Dillon Franke, Senior Security Engineer , 20% time on Project Zero Every second, highly-privileged MacOS system daemons...

Ivan Fratric Mar 18

I found 2 use-after-free bugs in libxslt with Jackalope, let's find more together! The harness is now included in examples (link below). This also serves as a demo for two not very commonly used modes in Jackalope: grammar mutational fuzzing and sanitizer coverage.
https://github.com/googleprojectzero/Jackalope/tree/main/examples/libxslt

Jackalope/examples/libxslt at main · googleprojectzero/Jackalope

Binary, coverage-guided fuzzer for Windows, macOS, Linux and Android - googleprojectzero/Jackalope

GitHub

Ivan Fratric Jan 8

In case it wasn't posted here already, Project Zero is hiring!
See https://goo.gle/41DBQBY

Senior Security Engineer, Security Research — Google Careers

Ivan Fratric Nov 21, 2024

The blog post (and tooling) on my Apple kernel extension fuzzing technique that I used to find several AppleAVD AV1 decoder bugs is now public at https://googleprojectzero.blogspot.com/2024/11/simple-macos-kernel-extension-fuzzing.html

Simple macOS kernel extension fuzzing in userspace with IDA and TinyInst

Posted by Ivan Fratric, Google Project Zero Recently, one of the projects I was involved in had to do with video decoding on Apple pla...

Ivan Fratric Nov 1, 2024

Don't panic now, but LLM-based agent discovered a previously unknown real-world vulnerability. Details in https://googleprojectzero.blogspot.com/2024/10/from-naptime-to-big-sleep.html

The bug in question: https://project-zero.issues.chromium.org/issues/372435124

From Naptime to Big Sleep: Using Large Language Models To Catch Vulnerabilities In Real-World Code

Posted by the Big Sleep team Introduction In our previous post, Project Naptime: Evaluating Offensive Security Capabilities of Large L...

Ivan Fratric Oct 31, 2024

Recently, I tried running TinyInst against a target written in Objective C and... the performance was ... not great. Let's analyze why that was and how to fix it:

Firstly, technical background: TinyInst marks the code sections of instrumented modules non-executable. Then (being a debugger), it catches exceptions raised while attempting to execute the original code and redirects execution to the rewritten code instead.

Exception handling is not very fast, but it only happens when non-instrumented code calls into an instrumented module. All callls from instrumented into instrumented code get optimized. This is why TinyInst works best when instrumented modules are selected so that they form a whole and calls into their group happen rarely. A handful is fine, but you'll notice if there are thousands.

How does Objective C mess this up? Because method calls in Objective C happen through objc_msgsend, which is a part of libobjc module. So even if you have calls from module abc to the same module, What you end up with is abc->libobjc->abc.

If libobjc is not instrumented, then libobjc->abc transitions will cause slowdowns. On the other hand, if you do instrument libobjc, then any Objective C calls from any non-instrumented module will cause slowdowns. So, no good solution, right?

But what if we instrument libobjc ins such a way that it only runs instrumented if it's called from other instrumented code? This is surprisingly simple to implement, we just skip marking its code non-executable during instrumentation, but it will still runs instrumented code when called from other instrumented code due to optimization mentioned earlier.

The effect: an order of magnitude better performance and we get libobjc instrumented "for free" (it doesn't cause any additional entries)

This is now implemented in TinyInst in the form of -instrument_transitive, which will instrument a module only for calls from other instrumented modules.

tl;dr if you run Objective C code under TinyInst and are experiencing slowdownsm, try -instrument_transitive libobjc.A.dylib. But it will no doubt improve performance in other scenarios as well.