JiuJITsu: Removing Gadgets with Safe Register Allocation for JIT Code Generation
-
Published:2023-12-15
Issue:1
Volume:21
Page:1-26
-
ISSN:1544-3566
-
Container-title:ACM Transactions on Architecture and Code Optimization
-
language:en
-
Short-container-title:ACM Trans. Archit. Code Optim.
Author:
Jiang Zhang1ORCID,
Chen Ying1ORCID,
Gong Xiaoli1ORCID,
Zhang Jin1ORCID,
Wang Wenwen2ORCID,
Yew Pen-Chung3ORCID
Affiliation:
1. Nankai University, China
2. University of Georgia, USA
3. University of Minnesota, USA
Abstract
Code-reuse attacks have the capability to craft malicious instructions from small code fragments, commonly referred to as “gadgets.” These gadgets are generated by JIT (Just-In-Time) engines as integral components of native instructions, with the flexibility to be embedded in various fields, including
Displacement
. In this article, we introduce a novel approach for potential gadget insertion, achieved through the manipulation of
ModR/M
and
SIB
bytes via JavaScript code. This manipulation influences a JIT engine’s register allocation and code generation algorithms. These newly generated gadgets do not rely on constants and thus evade existing constant blinding schemes. Furthermore, they can be combined with 1-byte constants, a combination that proves to be challenging to defend against using conventional constant blinding techniques. To showcase the feasibility of our approach, we provide proof-of-concept (POC) code for three distinct types of gadgets. Our research underscores the potential for attackers to exploit
ModR/M
and
SIB
bytes within JIT-generated native instructions. In response, we propose a practical defense mechanism to mitigate such attacks. We introduce
JiuJITsu
, a security-enhanced register allocation scheme designed to prevent harmful register assignments during the JIT code generation phase, thereby thwarting the generation of these malicious gadgets. We conduct a comprehensive analysis of
JiuJITsu
’s effectiveness in defending against code-reuse attacks. Our findings demonstrate that it incurs a runtime overhead of under 1% when evaluated using JetStream2 benchmarks and real-world websites.
Funder
Natural Science Foundation of China
Key Research and Development Program of Guangdong, China
Shandong Provincial Natural Science Foundation, China
Publisher
Association for Computing Machinery (ACM)
Subject
Hardware and Architecture,Information Systems,Software
Reference64 articles.
1. E. C. Fieller. 1954. Some problems in interval estimation. Journal of the Royal Statistical Society. Series B 811 (Methodological) 16 2 (1954) 175–185. http://www.jstor.org/stable/2984043
2. Fermin J. Serna. 2013. Flash JIT-Spraying for Info Leak Gadgets . Retrieved from https://dl.packetstormsecurity.net/papers/general/Flash_Jit_InfoLeak_Gadgets.pdf
3. Chromium Bugs Issue 1031142. 2019. Security: Site Isolation Bypass and Browser Code execution with heap-use-after-free. Retrieved from https://bugs.chromium.org/p/chromium/issues/detail?id=1031142
4. Chromium Bugs Issue 1055393. 2020. UAF in chrome chrome!content::BrowserAccessibilityManager::GetFromAXNode. Retrieved from https://bugs.chromium.org/p/chromium/issues/detail?id=1055393
5. Chromium Bugs Issue 1062091. 2020. Security: UAF in Installed AppProviderImpl. Retrieved from https://bugs.chromium.org/p/chromium/issues/detail?id=1062091