libmask: Protecting Browser JIT Engines from the Devil in the Constants

Abstract : JavaScript (JS) engines are virtual machines that execute JavaScript code. These engines find frequent application in web browsers like Google Chrome, Mozilla Firefox, Microsoft Internet Explorer and Apple Safari. Since, the purpose of a JS engine is to produce executable code, it cannot be run in a non-executable environment, and is susceptible to attacks like Just-in-Time (JIT) Spraying, which embed return-oriented programming (ROP) gadgets in arithmetic or logical instructions as immediate offsets. This paper introduces libmask, a JIT compiler extension to prevent the JIT-spraying attacks as an effective alternative to XOR based constant blinding. libmask transforms constants into global variables and marks the memory area for these global variables as read only. Hence, any constant is referred to by a memory address making exploitation of arithmetic and logical instructions more difficult. Further, these memory addresses are randomized to further harden the security. The scheme has been implemented and evaluated as a librddy extension to Google V8 scripting engine with optimizations that contain performance overhead and make libmask a feasible approach. We demonstrate that libmask masks all the constants in JITed code, and effectively raise the bar for JIT-spray and JIT-ROP attacks. The average overhead incurred upon memory is less than 300 kilobytes, while in most benchmarks the memory overhead is less than 10 KB. The average performance overhead observed with optimizations measures is 5.31%. Further, this new approach shows a modest performance improvement over currently deployed constant blinding technique in Google V8.
Complete list of metadatas

Cited literature [21 references]  Display  Hide  Download

https://hal.inria.fr/hal-01382971
Contributor : Benoit Baudry <>
Submitted on : Monday, October 17, 2016 - 9:52:17 PM
Last modification on : Thursday, February 7, 2019 - 4:50:11 PM

File

PID4513621.pdf
Files produced by the author(s)

Identifiers

  • HAL Id : hal-01382971, version 1

Citation

Abhinav Jangda, Mohit Mishra, Benoit Baudry. libmask: Protecting Browser JIT Engines from the Devil in the Constants. Annual Conference on Privacy, Security and Trust, Dec 2016, Auckland, New Zealand. ⟨hal-01382971⟩

Share

Metrics

Record views

1147

Files downloads

416