Abstract |
Return
-
oriented programming (ROP) has become the dominant form of
vulnerabil
ity
exploitation in both user and kernel space. Many defenses against
ROP during run
-
time make it
much harder. Attackers have already started
exploit
ing Just
-
in
-
Time (JIT) engines,
available in all
modern browsers, to
introduce their (shell)
code (either n
ative code or re
usable gadgets) during
JIT compilation, and then taking advantage of it.
Recognizing this immediate threat, browser vendors started employing
defenses for
hardening their JIT engines.
In this thesis, we show that
–
no
matter the employed def
enses
--
JIT
engines are still exploitable using solely
dyn
amically generated gadgets. We
demonstrate that
dynamic ROP payload
construction is possible in two modern web browsers without using any of
the
available gadgets con
tained in the browser binary or
linked libraries.
First,
we exploit an open
source JIT engine (Mozilla Firefox) by feeding it malicious
JavaScript, which once processed
generates all required gadgets for running any
shellcode successfully.
Second, we exploit a
proprietary JIT engine, the
one
in the 64
-
bit Microsoft Internet Explorer, which employs many
undocumented,
specially crafted
defe
nses against JIT exploitation.
We
manage to bypass all of
them and create the required gadgets for running any
shellcode successfully. All defensive
te
chniques are documented in this
thesis
to assist other researchers.
Furthermore, besides showing how to construct ROP gadgets on
-
the
-
fly,
we also show
how to discover the
m on
-
the
-
fly, rendering current
randomization
schemes
ineffective. Finally,
we perform
an analysis of the most
important defense currently
employed, namely
constant
blinding
, which
shields all three
-
byte
or larger immediate values
in the JIT buffer for
hindering the
construction of ROP gadg
e
ts.
Our analysis suggests that
ext
ending constant
blinding to all
immediate values (i.e., shielding 1
-
byte and
2
-
byte
constants) dramatically decreases the JIT
engine's performance,
introducing up to 80
% additional instructions.
|