Jump to content
Nytro

Bypassing Defenses in Browser JIT Engines

By Nytro, in Reverse engineering & exploit development

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Michalis Athanasakis

FORTH, Greece

michath@ics.forth.gr

Elias Athanasopoulos

FORTH, Greece

elathan@ics.forth.gr

Michalis Polychronakis

Stony Brook University

mikepo@cs.stonybrook.edu

Georgios Portokalidis

Stevens Institute of Tech.

gportoka@stevens.edu

Sotiris Ioannidis

FORTH, Greece

sotiris@ics.forth.gr

Abstract—Return-oriented programming (ROP) has become

the dominant form of vulnerability exploitation in both user

and kernel space. Many defenses against ROP exploits exist,

which can significantly raise the bar against attackers. Although

protecting existing code, such as applications and the kernel,

might be possible, taking countermeasures against dynamic code,

i.e., code that is generated only at run-time, is much harder.

Attackers have already started exploiting Just-in-Time (JIT)

engines, available in all modern browsers, to introduce their

(shell)code (either native code or re-usable gadgets) during JIT

compilation, and then taking advantage of it.

Recognizing this immediate threat, browser vendors started

employing defenses for hardening their JIT engines. In this paper,

we show that—no matter the employed defenses—JIT engines are

still exploitable using solely dynamically generated gadgets. We

demonstrate that dynamic ROP payload construction is possible

in two modern web browsers without using any of the available

gadgets contained in the browser binary or linked libraries. First,

we exploit an open source JIT engine (Mozilla Firefox) by feeding

it malicious JavaScript, which once processed generates all required

gadgets for running any shellcode successfully. Second, we

exploit a proprietary JIT engine, the one in the 64-bit Microsoft

Internet Explorer, which employs many undocumented, specially

crafted defenses against JIT exploitation. We manage to bypass

all of them and create the required gadgets for running any

shellcode successfully. All defensive techniques are documented

in this paper to assist other researchers. Furthermore, besides

showing how to construct ROP gadgets on-the-fly, we also show

how to discover them on-the-fly, rendering current randomization

schemes ineffective. Finally, we perform an analysis of the most

important defense currently employed, namely constant blinding,

which shields all three-byte or larger immediate values in the

JIT buffer for hindering the construction of ROP gadgets.

Our analysis suggests that extending constant blinding to all

immediate values (i.e., shielding 1-byte and 2-byte constants)

dramatically decreases the JIT engine’s performance, introducing

up to 80% additional instructions.

Download: http://users.ics.forth.gr/~elathan/papers/ndss15.pdf

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...