Thinking Outside the JIT Compiler: Understanding and Bypassing StructureID Randomization with Generic and Old-School Methods

Presented at Black Hat Europe 2019, Dec. 5, 2019, 4:35 p.m. (25 minutes)

In the last two years, lots of JIT compiler bugs have been found in the major browsers. For Safari, the most common way of exploiting a JIT bug in the JavaScriptCore engine is to construct the addrOf/fakeObj primitives[1]. And with those primitives, the arbitrary Read/Write ability can be easily gained.

Specifically, it's indispensable that an attacker needs a valid Structure ID to fake a JSCELL during exploitation. So the well-known technique - spraying the Structures to predict the IDs is introduced in 2016[2]. In the early of this year, WebKit introduces the StructureID Randomization mitigation[3]. And recently it has been enabled in the latest official release of *OS(i.e. iOS 12.4). So predicting the Structure ID by spraying can't work anymore.

In this talk, we will detail our new and generic methods to bypass StructureID Randomization mitigation, which allows an attacker to construct the addrOf/fakeObj primitives and gain the arbitrary Read/Write ability smoothly. Unlike the bug-specific and JIT compiler related way to bypass this mitigation[4], our generic and old-school methods have not been thoroughly presented in any previous talks. We believe our talk will inspire the design of more effective mitigations.







  • Yong Wang - Security Engineer, Alibaba Security, Alibaba Group
    Yong Wang (@ThomasKing2014) is a Security Engineer at Alibaba Security. He is currently focused on Android/Browser vulnerability hunting and exploitation. He was a speaker at several security conferences including Black Hat Asia 2018, HITB Amsterdam 2018, Zer0Con 2019, QPSS 2019, etc. Over the years, he has reported several vulnerabilities, which were credited in multiple advisories.


Similar Presentations: