Attacking Clientside JIT Compilers

Presented at Black Hat USA 2011, Aug. 3, 2011, 11:15 a.m. (75 minutes).

Just-In-Time (JIT) compilers help power most modern web browsers and are prevalent in interpreted virtual machines such as the JVM and .NET runtimes. JITs postpone deriving machine code from an intermediate format until execution time and can substantially increase performance of interpreted code. Since JITs are optimized for execution speed and generate machine code in memory by design, they raise a number of security issues. Our research surveys competing JIT designs to evaluate their comparative maturity and deep dives on the Mozilla Javascript and LLVM JITs. We wrote grammar fuzzers for ECMAScript/Javascript and LLVM IR to expose security vulnerabilities, focusing on memory corruption and information leaks. We evaluate how JIT engines may be used to bypass memory protections such as DEP and ASLR.

In addition to our destructive fuzzers we created a reusable toolchain, jitter, to help assist in our research. Our jitter tools are built on the dynamic debugging library Ragweed to track, disassemble and analyze JIT page allocations in real time. These tools are useful to both the developers of JIT engines and vulnerability researchers in generically analyzing JIT behavior. The security community has just begun to explore these complex components. We feel our ideas, tools and results will be applicable to other JIT compilers and help advance the state of security research of the modern web browsers and language runtimes that use them.


Presenters:

Links:

Similar Presentations: