The Devil is in the Constants: Bypassing Defenses in Browser JIT Engines

Michalis Athanasakis, Elias Athanasopoulos, Michalis Polychronakis, Georgios Portokalidis, Sotiris Ioannidis

Research output: Contribution to conferencePaperpeer-review

33 Scopus citations

Abstract

Return-oriented programming (ROP) has become the dominant form of vulnerability exploitation in both user and kernel space. Many defenses against ROP exploits exist, which can significantly raise the bar against attackers. Although protecting existing code, such as applications and the kernel, might be possible, taking countermeasures against dynamic code, i.e., code that is generated only at run-time, is much harder. Attackers have already started exploiting Just-in-Time (JIT) engines, available in all modern browsers, to introduce their (shell)code (either native code or re-usable gadgets) during JIT compilation, and then taking advantage of it. Recognizing this immediate threat, browser vendors started employing defenses for hardening their JIT engines. In this paper, we show that-no matter the employed defenses-JIT engines are still exploitable using solely dynamically generated gadgets. We demonstrate that dynamic ROP payload construction is possible in two modern web browsers without using any of the available gadgets contained in the browser binary or linked libraries. First, we exploit an open source JIT engine (Mozilla Firefox) by feeding it malicious JavaScript, which once processed generates all required gadgets for running any shellcode successfully. Second, we exploit a proprietary JIT engine, the one in the 64-bit Microsoft Internet Explorer, which employs many undocumented, specially crafted defenses against JIT exploitation. We manage to bypass all of them and create the required gadgets for running any shellcode successfully. All defensive techniques are documented in this paper to assist other researchers. Furthermore, besides showing how to construct ROP gadgets on-the-fly, we also show how to discover them on-the-fly, rendering current randomization schemes ineffective. Finally, we perform an analysis of the most important defense currently employed, namely constant blinding, which shields all three-byte or larger immediate values in the JIT buffer for hindering the construction of ROP gadgets. Our analysis suggests that extending constant blinding to all immediate values (i.e., shielding 1-byte and 2-byte constants) dramatically decreases the JIT engine's performance, introducing up to 80% additional instructions.

Original languageEnglish
DOIs
StatePublished - 2015
Event22nd Annual Network and Distributed System Security Symposium, NDSS 2015 - San Diego, United States
Duration: 8 Feb 201511 Feb 2015

Conference

Conference22nd Annual Network and Distributed System Security Symposium, NDSS 2015
Country/TerritoryUnited States
CitySan Diego
Period8/02/1511/02/15

Fingerprint

Dive into the research topics of 'The Devil is in the Constants: Bypassing Defenses in Browser JIT Engines'. Together they form a unique fingerprint.

Cite this