Too LeJIT to Quit: Extending JIT Spraying to ARM
نویسندگان
چکیده
In the face of widespread DEP and ASLR deployment, JIT spraying brings together the best of code injection and code reuse attacks to defeat both defenses. However, to date, JIT spraying has been an x86-only attack thanks to its reliance on variable-length, unaligned instructions. In this paper, we finally extend JIT spraying to a RISC architecture by introducing a novel technique called gadget chaining, whereby high level code invokes short sequences of unintended and intended instructions called gadgets just like a function call. We demonstrate gadget chaining in an end-to-end JIT spraying attack against WebKit’s JavaScriptCore JS engine on ARM and found that existing JIT spray mitigations that were sufficient against the x86 version of the JIT spraying attack fall short in the face of gadget chaining.
منابع مشابه
A Call to ARMs: Understanding the Costs and Benefits of JIT Spraying Mitigations
JIT spraying allows an attacker to subvert a JustIn-Time compiler, introducing instruction sequences useful to the attacker into executable regions of the victim program’s address space as a side effect of compiling seemingly innocuous code in a safe language like JavaScript. We present new JIT spraying attacks against Google’s V8 and Mozilla’s SpiderMonkey JavaScript engines on ARM. The V8 att...
متن کاملJIT Spraying and Mitigations
With the discovery of new exploit techniques, novel protection mechanisms are needed as well. Mitigations like DEP (Data Execution Prevention) or ASLR (Address Space Layout Randomization) created a significantly more difficult environment for exploitation. Attackers, however, have recently researched new exploitation methods which are capable of bypassing the operating system’s memory mitigatio...
متن کاملJITDefender: A Defense against JIT Spraying Attacks
JIT spraying is a new code-reuse technique to attack virtual machines based on JIT (Just-in-time) compilation. It has proven to be capable of circumventing the defenses such as data execution prevention (DEP) and address space layout randomization(ASLR), which are effective for preventing the traditional code injection attacks. In this paper, we describe JITDefender, an enhancement of standard ...
متن کاملFlashDetect: ActionScript 3 Malware Detection
Adobe Flash is present on nearly every PC, and it is increasingly being targeted by malware authors. Despite this, research into methods for detecting malicious Flash files has been limited. Similarly, there is very little documentation available about the techniques commonly used by Flash malware. Instead, most research has focused on JavaScript malware. This paper discusses common techniques ...
متن کامل