Dachshund: Digging for and Securing Against (Non-)Blinded Constants in JIT Code
نویسندگان
چکیده
Modern browsers such as Chrome and Edge deploy constant blinding to remove attacker-controlled constants from the JIT-compiled code. Without such a defense, attackers can encode arbitrary shellcode in constants that get compiled to executable code. In this paper, we review the security and completeness of current constant blinding implementations. We develop DACHSHUND, a fuzzing-driven framework to find userspecified constants in JIT-compiled code. DACHSHUND reveals several cases in which JIT compilers of modern browsers fail to blind constants, ranging from constants passed as function parameters to blinded constants that second-stage code optimizers revert to a non-protected form. To tackle this problem, we then propose a JavaScript rewriting mechanism that removes all constants from JavaScript code. We prototype this crossbrowser methodology as part of a Web proxy and show that it can successfully remove all constants from JavaScript code.
منابع مشابه
The Devil is in the Constants: Bypassing Defenses in Browser JIT Engines
Return-oriented programming (ROP) has become the dominant form of vulnerability exploitation in both user and kernel space. Many defenses against ROP exploits exist, which can significantly raise the bar against attackers. Although protecting existing code, such as applications and the kernel, might be possible, taking countermeasures against dynamic code, i.e., code that is generated only at r...
متن کاملWhat Cannot Be Read, Cannot Be Leveraged? Revisiting Assumptions of JIT-ROP Defenses
Despite numerous attempts to mitigate code-reuse attacks, Return-Oriented Programming (ROP) is still at the core of exploiting memory corruption vulnerabilities. Most notably, in JIT-ROP, an attacker dynamically searches for suitable gadgets in executable code pages, even if they have been randomized. JIT-ROP seemingly requires that (i) code is readable (to find gadgets at run time) and (ii) ex...
متن کاملToo LeJIT to Quit: Extending JIT Spraying to ARM
In the face of widespread DEP and ASLR deployment, JIT spraying brings together the best of code injection and code reuse attacks to defeat both defenses. However, to date, JIT spraying has been an x86-only attack thanks to its reliance on variable-length, unaligned instructions. In this paper, we finally extend JIT spraying to a RISC architecture by introducing a novel technique called gadget ...
متن کاملJITDefender: A Defense against JIT Spraying Attacks
JIT spraying is a new code-reuse technique to attack virtual machines based on JIT (Just-in-time) compilation. It has proven to be capable of circumventing the defenses such as data execution prevention (DEP) and address space layout randomization(ASLR), which are effective for preventing the traditional code injection attacks. In this paper, we describe JITDefender, an enhancement of standard ...
متن کاملJIT Circuit Simulation with LLVM
The project aimed to create a circuit simulator that produces JIT compiled native code through LLVM’s APIs. A JIT based simulation approach provides native simulation speed, while still allowing native code to be recompiled to provide circuit debugging features unavailable in statically compiled simulators. The result of the project is a simulator that performs competitively against existing si...
متن کامل