As finding reliably exploitable vulnerabilities in web browser engines becomes gradually harder, attackers turn to previously less explored areas of the code. One of these seems especially interesting: just-in-time (JIT) compilers built into the JavaScript engines to maximize their performance by turning JavaScript code into optimized machine code at runtime. With commonly multiple tiers of JIT compilers (speak multiple different compilers) and an excessive focus on performance at the cost of added complexity, they are an attractive target for security researchers. Furthermore, the bugs found in them often turn out to be easily and reliably exploitable. Last but not least, JIT compilers appear to be "future proof" targets as their prevalence (and complexity) will likely continue to grow in the future.
This talk will explore the inner workings of JIT compilers for the JavaScript language with a focus on security relevant aspects. First, the challenges faced by such compilers as well as the common solutions implemented by the most prominent engines will be described. Afterwards, the attack surface of client-side JIT compilers will be explored together with a discussion of the rather unique vulnerabilities frequently found in them. Finally, a specific, but fairly typical JIT compiler vulnerability will be presented, along with the process of its discovery. This vulnerability was used in Pwn2Own 2018 to successfully exploit Safari on macOS. A brief walkthrough of its exploitation, yielding a near 100% reliable exploit that completes within a few milliseconds, will conclude this talk.