Yet another target to attack
Just-in-time (JIT) is a type of a computer code execution compilation; in particular it is a dynamic translation during a program execution at runtime rather than before execution. This type of computer code execution is used in web browsers. Since memory bugs, such as stack-based buffer overflows, can be exploited by adversaries to execute arbitrary code, JIT compilers have become serious targets of attacks. For instance, they use JIT-Spray, and JIT-based code-reuse attacks in order to facilitate the exploitation of memory-corruption vulnerabilities and defeat existing defenses with a view to attack on client-side programs, such as browsers.
Robert Gawlik and Thorsten Holz in their research paper “SoK: Make JIT-Spray Great Again” study JIT compilers that concern major client-side programs and promote a classification of offensive techniques that abuse JIT compilation. They analyse and distinguish JIT-Spray from JIT-based code-reuse attacks and exhibit defenses appearing over the last decade as hardening mechanisms.
They claim that JIT compilers can be abused to embed malicious code bytes at runtime; if a memory disclosure vulnerability is required to locate addresses, the authors consider it JIT-based code-reuse attack. This classification is based on the difficulty to perform memory disclosures than to control over the instruction pointer only. The authors explore the JIT-Spray offence and showed methods that are used to hide code bytes within constants of high-level languages.
Considering security techniques to encounter exploitation of JIT-related flaws, Control-Flow Integrity (CFI) is presented by the authors as a popular technique that prevents adversaries from redirecting the flow of execution of a program in terms of JIT code and unintended static code such as ROP gadgets. A valuable implementation of CFI is Microsoft’s Control-Flow Guard (MS-CFG) which additionally protects JIT-code regions in Microsoft Edge. Lately, the LLVM-CFI solution is considered in Google Chrome another effective CFI solution. In addition, the authors present a set of other defenses against abusing JIT compilers that have been proposed throughout the years (i.e., constant folding, constant blinding, random nop insertion, JIT allocation randomization, JIT allocation restriction, Remove implicit constants from native code).
JIT-compiler based attacks (i.e. JIT Spray) and corresponding defenses are still gradually evolving becoming both even more sophisticated providing open challenges that trigger new academic research.