The Devil is in the Constants: Bypassing Defenses in Browser JIT Engines
نویسندگان
چکیده
Return-oriented programming (ROP) has become the dominant form of vulnerability exploitation in both user and kernel space. Many defenses against ROP exploits exist, which can significantly raise the bar against attackers. Although protecting existing code, such as applications and the kernel, might be possible, taking countermeasures against dynamic code, i.e., code that is generated only at run-time, is much harder. Attackers have already started exploiting Just-in-Time (JIT) engines, available in all modern browsers, to introduce their (shell)code (either native code or re-usable gadgets) during JIT compilation, and then taking advantage of it. Recognizing this immediate threat, browser vendors started employing defenses for hardening their JIT engines. In this paper, we show that—no matter the employed defenses—JIT engines are still exploitable using solely dynamically generated gadgets. We demonstrate that dynamic ROP payload construction is possible in two modern web browsers without using any of the available gadgets contained in the browser binary or linked libraries. First, we exploit an open source JIT engine (Mozilla Firefox) by feeding it malicious JavaScript, which once processed generates all required gadgets for running any shellcode successfully. Second, we exploit a proprietary JIT engine, the one in the 64-bit Microsoft Internet Explorer, which employs many undocumented, specially crafted defenses against JIT exploitation. We manage to bypass all of them and create the required gadgets for running any shellcode successfully. All defensive techniques are documented in this paper to assist other researchers. Furthermore, besides showing how to construct ROP gadgets on-the-fly, we also show how to discover them on-the-fly, rendering current randomization schemes ineffective. Finally, we perform an analysis of the most important defense currently employed, namely constant blinding, which shields all three-byte or larger immediate values in the JIT buffer for hindering the construction of ROP gadgets. Our analysis suggests that extending constant blinding to all immediate values (i.e., shielding 1-byte and 2-byte constants) dramatically decreases the JIT engine’s performance, introducing up to 80% additional instructions.
منابع مشابه
Interpreter Exploitation
As remote exploits further dwindle and perimeter defenses become the standard, remote client-side attacks are becoming the standard vector for attackers. Modern operating systems have quelled the explosion of client-side vulnerabilities using mitigation techniques such as data execution prevention (DEP) and address space layout randomization (ASLR). This work illustrates two novel techniques to...
متن کاملA Call to ARMs: Understanding the Costs and Benefits of JIT Spraying Mitigations
JIT spraying allows an attacker to subvert a JustIn-Time compiler, introducing instruction sequences useful to the attacker into executable regions of the victim program’s address space as a side effect of compiling seemingly innocuous code in a safe language like JavaScript. We present new JIT spraying attacks against Google’s V8 and Mozilla’s SpiderMonkey JavaScript engines on ARM. The V8 att...
متن کاملMitigating Browser Based Exploits through Behavior Based Defenses and Hardware Virtualization
As the adoption of the Internet grows worldwide, the volumes of valuable data being transmitted and stored in digital format become increasingly attractive targets. Vulnerabilities and weaknesses in web architectures and environments which are tasked with storing and preserving this data have been and continue to be exploited every day. In recent years there has been a trend to directly exploit...
متن کاملAnalysis of interactions among the barriers to JIT production: interpretive structural modelling approach
‘Survival of the fittest’ is the reality in modern global competition. Organizations around the globe are adopting or willing to embrace just-in-time (JIT) production to reinforce the competitiveness. Even though JIT is the most powerful inventory management methodologies it is not free from barriers. Barriers derail the implementation of JIT production system. One of the most significant tasks...
متن کاملThe First Discrete Choice Experiment On Usage of Bypassing Agents in Hemophilic Patients in Iran
Background: Bleeding events in hemophilic patients with inhibitors are managed by bypassing agents. Currently available agents in Iran are recombinant activated factor VII (rfVIIa; Aryogen, Aryoseven) and Feiba (factor eight inhibitor bypassing agent). No standardized and accurate assay is currently available for monitoring the effectiveness of bypassing agents. We suggested that history of the...
متن کامل