Your browser does not support JavaScript!

Home    Bypassing defenses of Just-in-Time compilers in modern browsers  

Results - Details

Add to Basket
[Add to Basket]
Identifier 000399097
Title Bypassing defenses of Just-in-Time compilers in modern browsers
Alternative Title Παραβίαση αμυνών σε μεταγλωττιστές δυναμικής παραγωγής κώδικα σε περιηγητές διαδικτύου
Author Αθανασάκης, Μιχαήλ Ε.
Thesis advisor Μαρκάτος, Ευάγγελος
Reviewer Σαββίδης, Αντώνιος
Ιωαννίδης, Σωτήριος
Αθανασόπουλος, Ηλίας
Abstract Return - oriented programming (ROP) has become the dominant form of vulnerabil ity exploitation in both user and kernel space. Many defenses against ROP during run - time make it much harder. Attackers have already started exploit ing Just - in - Time (JIT) engines, available in all modern browsers, to introduce their (shell) code (either n ative code or re usable gadgets) during JIT compilation, and then taking advantage of it. Recognizing this immediate threat, browser vendors started employing defenses for hardening their JIT engines. In this thesis, we show that – no matter the employed def enses -- JIT engines are still exploitable using solely dyn amically generated gadgets. We demonstrate that dynamic ROP payload construction is possible in two modern web browsers without using any of the available gadgets con tained in the browser binary or linked libraries. First, we exploit an open source JIT engine (Mozilla Firefox) by feeding it malicious JavaScript, which once processed generates all required gadgets for running any shellcode successfully. Second, we exploit a proprietary JIT engine, the one in the 64 - bit Microsoft Internet Explorer, which employs many undocumented, specially crafted defe nses against JIT exploitation. We manage to bypass all of them and create the required gadgets for running any shellcode successfully. All defensive te chniques are documented in this thesis to assist other researchers. Furthermore, besides showing how to construct ROP gadgets on - the - fly, we also show how to discover the m on - the - fly, rendering current randomization schemes ineffective. Finally, we perform an analysis of the most important defense currently employed, namely constant blinding , which shields all three - byte or larger immediate values in the JIT buffer for hindering the construction of ROP gadg e ts. Our analysis suggests that ext ending constant blinding to all immediate values (i.e., shielding 1 - byte and 2 - byte constants) dramatically decreases the JIT engine's performance, introducing up to 80 % additional instructions.
Language English
Subject Browsers
Computer Science
JIT
ROP
Security
Ασφάλεια
Issue date 2016-03-18
Collection   School/Department--School of Sciences and Engineering--Department of Computer Science--Post-graduate theses
  Type of Work--Post-graduate theses
Views 634

Digital Documents
No preview available

Download document
View document
Views : 59