Interpreter exploitation: Pointer inference and jit spraying

[Nytro]

INTERPRETER EXPLOITATION: POINTER INFERENCE AND JIT

SPRAYING

ABSTRACT

As remote exploits have dwindled and perimeter defenses have become the standard, remote client-side attacks

are the next best choice for an attacker. Modern Windows operating systems have quelled the explosion of clientside

vulnerabilities using mitigation techniques such as data execution prevention (DEP) and address space layout

randomization (ASLR). This work will illustrate two novel techniques to bypass DEP and ASLR mitigations. These

techniques leverage the attack surface exposed by the advanced script interpreters or virtual machines commonly

accessible within the browser. The first technique, pointer inference, is used to find the memory address of a string

of shellcode within the ActionScript interpreter despite ASLR. The second technique, JIT spraying, is used to write

shellcode to executable memory by leveraging predictable behaviors of the ActionScript JIT compiler bypassing

DEP. Future research directions and countermeasures for interpreter implementers are discussed.

INTRODUCTION

The difficulty in finding and exploiting a remote vulnerability has motivated attackers to devote their resources to

finding and exploiting client side vulnerabilities. This influx of different client side attackers has pushed Microsoft

to implement robust mitigation techniques to make exploiting these vulnerabilities much harder. Sotirov and Dowd

[1] have described in detail each of the mitigation techniques and their default configurations on versions of

Windows through Windows 7 RC. Their work shows some of the techniques available to bypass these protections

and how the design choices made by Microsoft has influenced the details of these bypasses. One thing that stands

out throughout this paper is how ripe a target the browser is for exploitation – the attacker can use multiple plugins,

picking and choosing specific exploitable features, to set-up a reliable exploit scenario.

The classic web browser, bursting at the seams with plug-ins, could not have been designed with more exploitation

potential. It requires a robust parser to parse and attempt to salvage 6 versions of mark-up. With the advent of

“Web 2.0”, a browser must now include a high performance scripting environment with the ability to rewrite those

parsed pages dynamically. The library exposed to the scripting runtime continues to grow. Additionally, most

browsers are now taking advantage of recent JIT and garbage collection techniques to speed up Javascript

execution. All this attack surface and we haven’t begun to discuss the plug-ins commonly installed.

Rich internet applications (RIAs) are not going away and Adobe currently maintains a hold over the market

Download:

http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf