Too LeJIT to Quit: Extending JIT Spraying to ARM

Wilson Lian Hovav Shacham, and Stefan Savage.

In Proceedings of NDSS 2015. Internet Society, Feb. 2015.

Abstract

In the face of widespread DEP and ASLR deployment, JIT spraying brings together the best of code injection and code reuse attacks to defeat both defenses. However, to date, JIT spraying has been an x86-only attack thanks to its reliance on variable-length, unaligned instructions. In this paper, we finally extend JIT spraying to a RISC architecture by introducing a novel technique called gadget chaining, whereby high level code invokes short sequences of unintended and intended instructions called gadgets just like a function call. We demonstrate gadget chaining in an end-to-end JIT spraying attack against WebKit’s JavaScriptCore JS engine on ARM and found that existing JIT spray mitigations that were sufficient against the x86 version of the JIT spraying attack fall short in the face of gadget chaining.

Material

Reference

@InProceedings{LSS15, author = {Wilson Lian and Hovav Shacham and Stefan Savage}, title = {Too {LeJIT} to Quit: Extending {JIT} Spraying to {ARM}}, booktitle = {Proceedings of NDSS 2015}, year = 2015, editor = {Engin Kirda}, month = feb, organization = {Internet Society} }

Navigation: Hovav Shacham // Publications // [LSS15]