The Devil is in the Constants: Bypassing Defenses in Browser JIT Engines
Download: Paper (PDF)
Date: 7 Feb 2015
Document Type: Briefing Papers
Additional Documents: Slides
Associated Event: NDSS Symposium 2015
Abstract:
Return-oriented programming (ROP) has become the dominant form of vulnerability exploitation in both user and kernel space. Many defenses against ROP exist, which can significantly raise the bar against the attacker. Although protecting existing code, such as applications and the kernel, might be possible, taking countermeasures against dynamic code, i.e., code that is generated only at run-time, is much harder. Attackers have already started exploiting Just-in-Time (JIT) engines, available in all modern browsers, for introducing their (shell)code (either native code or re-usable gadgets) during JIT compilation and then take advantage of it. Recognizing the immediate threat, browser vendors started employing defenses for hardening their JIT engines. In this paper, we show that – no matter the employed defenses – JIT engines are still exploitable using solely dynamically generated gadgets. We demonstrate that dynamic ROP pay- load construction is possible in two modern web browsers without utilizing any of the available gadgets contained in the browser binary or linked libraries. First, we exploit an open source JIT engine (Mozilla Firefox) by feeding it malicious JavaScript, which once processed produces all required gadgets for running any shellcode successfully. Second, we exploit a proprietary JIT engine, the one in the 64-bit Microsoft Internet Explorer, which employs many undocumented, specially crafted defenses against JIT exploitation. We manage to bypass all of them and create the required gadgets for running any shellcode successfully. All defensive techniques are documented in this paper to assist other researchers. Furthermore, we do not only show how to construct the ROP gadgets on-the-fly, but also how to discover them on-the-fly, rendering current randomization schemes ineffective. Last but not least, we perform an analysis of the most important defense currently employed, namely constant blinding, which shields all three-byte or larger immediate values in the JIT buffer for prohibiting the construction of ROP gadgets. Our analysis suggests that extending constant blinding to all immediate values (i.e., shielding 1-byte and 2-byte constants) dramati- cally decreases the JIT engine’s performance, introducing an overhead of up to %80.M