libmask: Protecting Browser JIT Engines from the Devil in the Constants - Inria - Institut national de recherche en sciences et technologies du numérique Accéder directement au contenu
Communication Dans Un Congrès Année : 2016

libmask: Protecting Browser JIT Engines from the Devil in the Constants

Résumé

JavaScript (JS) engines are virtual machines that execute JavaScript code. These engines find frequent application in web browsers like Google Chrome, Mozilla Firefox, Microsoft Internet Explorer and Apple Safari. Since, the purpose of a JS engine is to produce executable code, it cannot be run in a non-executable environment, and is susceptible to attacks like Just-in-Time (JIT) Spraying, which embed return-oriented programming (ROP) gadgets in arithmetic or logical instructions as immediate offsets. This paper introduces libmask, a JIT compiler extension to prevent the JIT-spraying attacks as an effective alternative to XOR based constant blinding. libmask transforms constants into global variables and marks the memory area for these global variables as read only. Hence, any constant is referred to by a memory address making exploitation of arithmetic and logical instructions more difficult. Further, these memory addresses are randomized to further harden the security. The scheme has been implemented and evaluated as a librddy extension to Google V8 scripting engine with optimizations that contain performance overhead and make libmask a feasible approach. We demonstrate that libmask masks all the constants in JITed code, and effectively raise the bar for JIT-spray and JIT-ROP attacks. The average overhead incurred upon memory is less than 300 kilobytes, while in most benchmarks the memory overhead is less than 10 KB. The average performance overhead observed with optimizations measures is 5.31%. Further, this new approach shows a modest performance improvement over currently deployed constant blinding technique in Google V8.
Fichier principal
Vignette du fichier
PID4513621.pdf (357.56 Ko) Télécharger le fichier
Origine : Fichiers produits par l'(les) auteur(s)
Loading...

Dates et versions

hal-01382971 , version 1 (17-10-2016)

Identifiants

  • HAL Id : hal-01382971 , version 1

Citer

Abhinav Jangda, Mohit Mishra, Benoit Baudry. libmask: Protecting Browser JIT Engines from the Devil in the Constants. Annual Conference on Privacy, Security and Trust, Dec 2016, Auckland, New Zealand. ⟨hal-01382971⟩
451 Consultations
894 Téléchargements

Partager

Gmail Facebook X LinkedIn More