Seeing some cool memory disclosure work come out recently (e.g. GDTR on Hashtable Timing Attacks and Timing Attacks against KASLR) I was motivated to try out an idea I've had for a bit but had never got around to testing. I've spent quite a bit of time reading the source to various interpreter engines (Spider|Trace|IonMonkey, Tamarin, V8, and JavascriptCore). One subsystem that always scares the pants off me is the garbage collection (GC) implementations. In an effort to balance interactivity and reasonable memory footprints, modern garbage collection (I guess like everything else in a browser) is complex but finely tuned. Optimizations are scattered throughout and, in any competitive engine, the code is always in motion. Despite the complexity, most engines have done a good job of maintaining a high degree of stability in the GC portion. Maybe this is due to necessity; GC bugs would cause easy to notice problems (I'd imagine most are crashers). The part that tickles my security senses is the native stack walk necessary for conservative GC. Let me explain.
read more........https://github.com/justdionysus/gcwoah
read more........https://github.com/justdionysus/gcwoah