Your browser does not support JavaScript!

Home    Implementation and performance evaluation of security defenses in ChakraCore, a state of the art JavaScript engine  

Results - Details

Add to Basket
[Add to Basket]
Identifier 000413473
Title Implementation and performance evaluation of security defenses in ChakraCore, a state of the art JavaScript engine
Alternative Title Υλοποίηση και μέτρηση απόδοσης μηχανισμών ασφαλείας στο ChakraCore, μια σύγχρονη μηχανή JavaScript
Author Πλέλης, Κωνσταντίνος Α.
Thesis advisor Μαρκάτος, Ευάγγελος
Reviewer Ιωαννίδης, Σωτήριος
Σαββίδης, Αντώνιος
Abstract Software, such as web browsers, document viewers and processors, extend their functionality by running scripts in a virtualized environment. For example, all web browsers support executing JavaScript code. Initially the execution was performed using an interpreter. However, interpreted script execution suffers in performance compared to running native code, therefore most sophisticated engines support Just-in-Time (JIT) compilation of bytecode to native instructions. JIT compilation introduces new code in the running process, which, unless correctly hardened, can pose additional security risks. Hardening JIT code is much more complicated compared to hardening binaries or source code. While binaries and source code are analyzed off-line, and complex algorithms can be of use, JIT code can only be analyzed at runtime. This is important, since JIT compilation happens primarily for faster execution and, thus, such complex algorithms can reduce the performance gain significantly. In this thesis, we apply a set of proposed hardening solutions in a state of the art JavaScript engine, ChakraCore, and we evaluate all defenses in terms of performance. We apply different solutions and in various combinations, and we demonstrate how certain defenses can reduce the performance gain of the JIT engine significantly. Among the defenses we evaluate is Control Flow Guard, a novel Control Flow Integrity security mitigation by Microsoft, available exclusively on Windows 8.1 and Windows 10. Mainly, we focus on extending the existing constant blinding mechanism, as well as introducing blinding of implicit constants, such as those produced in code generated from conditional blocks. The target of the mitigations that are implemented and analyzed is to prevent Return Oriented Programming (ROP) attacks, either by stopping the initialization of the exploit or by raising the bar for the attacker to generate the necessary ROP gadgets.
Language English
Subject Attack
Browsers
Defense
Rop
Web
Άμυνα
Ασφάλεια
Διαδίκτυο
Επίθεση
Φυλλομετρήσεις
Issue date 2017-07-21
Collection   School/Department--School of Sciences and Engineering--Department of Computer Science--Post-graduate theses
  Type of Work--Post-graduate theses
Views 411

Digital Documents
No preview available

Download document
View document
Views : 151