libmask: Protecting Browser JIT Engines from the Devil in the Constants

Abhinav Jangda 1 Mohit Mishra 1 Benoit Baudry 2
2 DiverSe - Diversity-centric Software Engineering
Inria Rennes – Bretagne Atlantique , IRISA-D4 - LANGAGE ET GÉNIE LOGICIEL
Abstract : JavaScript (JS) engines are virtual machines that execute JavaScript code. These engines find frequent application in web browsers like Google Chrome, Mozilla Firefox, Microsoft Internet Explorer and Apple Safari. Since, the purpose of a JS engine is to produce executable code, it cannot be run in a non-executable environment, and is susceptible to attacks like Just-in-Time (JIT) Spraying, which embed return-oriented programming (ROP) gadgets in arithmetic or logical instructions as immediate offsets. This paper introduces libmask, a JIT compiler extension to prevent the JIT-spraying attacks as an effective alternative to XOR based constant blinding. libmask transforms constants into global variables and marks the memory area for these global variables as read only. Hence, any constant is referred to by a memory address making exploitation of arithmetic and logical instructions more difficult. Further, these memory addresses are randomized to further harden the security. The scheme has been implemented and evaluated as a librddy extension to Google V8 scripting engine with optimizations that contain performance overhead and make libmask a feasible approach. We demonstrate that libmask masks all the constants in JITed code, and effectively raise the bar for JIT-spray and JIT-ROP attacks. The average overhead incurred upon memory is less than 300 kilobytes, while in most benchmarks the memory overhead is less than 10 KB. The average performance overhead observed with optimizations measures is 5.31%. Further, this new approach shows a modest performance improvement over currently deployed constant blinding technique in Google V8.
Type de document :
Communication dans un congrès
Annual Conference on Privacy, Security and Trust, Dec 2016, Auckland, New Zealand. 〈http://pst2016.unitec.ac.nz/〉
Liste complète des métadonnées

Littérature citée [21 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01382971
Contributeur : Benoit Baudry <>
Soumis le : lundi 17 octobre 2016 - 21:52:17
Dernière modification le : mercredi 2 août 2017 - 10:08:50

Fichier

PID4513621.pdf
Fichiers produits par l'(les) auteur(s)

Identifiants

  • HAL Id : hal-01382971, version 1

Citation

Abhinav Jangda, Mohit Mishra, Benoit Baudry. libmask: Protecting Browser JIT Engines from the Devil in the Constants. Annual Conference on Privacy, Security and Trust, Dec 2016, Auckland, New Zealand. 〈http://pst2016.unitec.ac.nz/〉. 〈hal-01382971〉

Partager

Métriques

Consultations de
la notice

487

Téléchargements du document

224