Ares：a robust protection system for just-in-time engines

doi:10.7523/jssn.2095-6134.2014.02.018

Abstract

Abstract:

JIT(just-in-time) compilation technique improves the efficiency of code execution. In almost all web browsers as well as Java, Perl, Python, Ruby and Flash, JIT is implemented into their already complex code base. However, for high effectiveness, JIT engines allocate memory with RWX (readable, writable, and executable) permissions to predictable offsets, which goes against DEP (data execution prevention) and ASLR (address space layout randomization). We first analyze two existed JIT defense tools and show the defects of them. Based on our analysis, we design and implement an approach named Ares to protect JIT engines from normal JIT-based attack without modifying JIT engines' source code. Experiments show that our approach guarantees the safety of JIT compilation and the overhead is acceptable.

Key words: JIT (just-in-time) compilation engine, ASLR, DEP, defense tools

CLC Number:

TP393

ZHU Ruoyu, ZHANG Yuqing, YAN Jingbo. Ares：a robust protection system for just-in-time engines[J]. , 2014, 31(2): 267-275.

References

[1] Blazakis D. Interpreter exploitation[C]//WOOT'10: The USENIX Workshop on Offensive Technologies. Washington, 2010.

[2] US-CERT/NIST. Mozilla firefox and seamonkey 'nsDOMAttribute' use-after-free memory corruption vulnerability[DB/OL].(2010-12-10)[2013-01-15].http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3766.

[3] Crispin C, Calton P, Dave M, et al. StackGuard: automatic adaptive detection and prevention of buffer-overow attack[C]//USENIX'98: USENIX Security Symposium. San Antonio, 1998.

[4] Bhatkar E, Duvarney D, Sekar R. Address obfuscation: an efficient approach to combat a broad range of memory error exploits[C]//USENIX'03: USENIX Security Symposium. Washington, 2003: 105-120.

[5] Groef W, Nikiforakis N, Younan Y, et al. Jitsec: Just-in-time security for code injection attack[C]//WiSec'10: Benelux Workshop on Information and System Security. New Jersey, 2010: 1-15.

[6] Chen P, Fang Y, Mao B, et al. JITDefender: a defense JIT spraying attack[J]. IFIP Advances in Information and Communication Technology, 2011, 354: 142-153.

[7] Microsoft. The enhanced mitigation experience toolkit[DB/OL].(2011-06-12)[2013-01-15].http://support.microsoft.com/kb/2458544.

[8] Wiki. Just-in-time compilation[EB/OL].(2012-02-11)[2012-12-30].http://en.wikipedia.org/wiki/Just-in-time_compilation.

[9] CWE. Compiler optimization removal or modification of security-critical code[DB/OL].(2008-10-01)[2012-12-25]. http://cwe.mitre.org/data/definitions/733.html.

[10] Novark G, Berger D.E. DieHarder: securing the heap[C]//CCS'10: The ACM conference on Computer and communications security. New York, 2010: 573-584.

[11] Emery D, Berger D.E, Benjamin G. DieHard: probabilistic memory safety for unsafe languages[C]//PLDI'06: ACM SIGPLAN 2006 Conference on Programming Language Design and Implementation. Ottawa, Canada, 2006: 158-168.

[12] Dhurjati D, Adve V. Eciently detecting all dangling pointer uses in production servers[C]//DSN'06: The International Conference on Dependable Systems and Networks. Philadelphia, PA, USA, 2006: 269-280.

[13] Akritidis P. Cling: A memory allocator to mitigate dangling pointers[C]//USENIX Security'10: The 19th USENIX conference on Security. Berkeley, CA, USA, 2010.

[14] Rjati D, Kowshik S, Adve V, et al. Memory safety without runtime checks or garbage collection[C]//LCTES'03: The ACM SIGPLAN Conference on Language, Compiler and Tool for Embedded Systems. San Diego, CA, USA, 2003: 69-80.

[15] Rohlf C, Yan I. Attacking clientside JIT compilers[C]//Black Hat Technical Security Conference. USA, 2011.

[16] Berger E D, Zorn B G. DieHard: probabilistic memory safety for unsafe languages[C]//PLDI '06: Programming Language Design and Implementation. Ottawa, CA, 2006: 158-168.

[17] Dhurjati D, Kowshik S, Adve V, et al. Memory safety without runtime checks or garbage collection[C]//LCTES '03: The ACM SIGPLAN Conference on Language, Compiler, and Tool for Embedded Systems. San Diego, CA, USA, 2003: 69-80.

[18] Designer S. "return-to-libc"attack. Bugtraq mailing list, 1997.

[19] Sintsov A. Oracle document capture (EasyMail Objects EMSMTP.DLL 6.0.1) activeX control BOF-JIT-spray exploit[DB/OL]. (2010-05-03)[2013-01-10]. http://dsecrg.com/pages/expl/show.php?id=28.

[20] Sintsov A. JIT spraying attack on safari[DB/OL].(2010-05-15)[2013-01-05]. http://www.exploit-db.com/exploits/12614/.