Skip to content Skip to footer
0 items - $0.00 0
Menu

Look Ma, No Constants by tosh

0CommentsShare Post
Look Ma, No Constants by tosh
News

Look Ma, No Constants by tosh

April 5, 2022
0Comments
Share This Article
Share Post
Newsletter

Sed ut perspiciatis unde.

Subscribe

Send to HN

ABSTRACT

With the advent of JIT compilers, code-injection attacks have seen a revival in the form of JIT spraying. JIT spraying enables an attacker to inject gadgets into executable memory, effectively sidestepping W⊕X and ASLR.

In response to JIT spraying, constant blinding has emerged as a conceptually straightforward and performance friendly defense. Unfortunately, increasingly sophisticated attacks have pinpointed the shortcomings of existing constant blinding implementations.

In this paper we present our constant blinding implementation in the GraalVM compiler, enabling constant blinding across a wide range of languages. Our implementation takes insights from the last decade of research on the security of constant blinding into account. We discuss important design decisions and trade-offs as well as the practical implementation issues encountered when implementing constant blinding for GraalVM. We evaluate the performance impact of our implementation with different configurations and demonstrate its effectiveness by fuzzing for unblinded constants.

References

  1. 2014. RockJIT: Securing Just-In-Time Compilation Using Modular Control-Flow Integrity. In ACM SIGSAC Conference on Computer and Communications Security.Google ScholarGoogle Scholar
  2. Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005. A Theory of Secure Control Flow. In International Conference on Formal Methods and Software Engineering.Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2009. Control-flow integrity principles, implementations, and applications. ACM Transactions on Information and System Security 13, 1 (Oct. 2009), 1–40.Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Michalis Athanasakis, Elias Athanasopoulos, Michalis Polychronakis, Georgios Portokalidis, and Sotiris Ioannidis. 2015. The Devil is in the Constants: Bypassing Defenses in Browser JIT Engines. In Network and Distributed System Security Symposium.Google ScholarGoogle ScholarCross RefCross Ref
  5. John Aycock. 2003. A brief history of just-in-time. Comput. Surveys 35, 2 (jun 2003), 97–113.Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Dionysus Blazakis. 2010. Interpreter Exploitation.. In USENIX Workshop on Offensive Technologies.Google ScholarGoogle Scholar
  7. Preston Briggs, Keith D Cooper, and L. Taylor Simpson. 1997. Value Numbering. Software—Practice & Experience 27, 6 (1997), 701–724.Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Ping Chen, Rui Wu, and Bing Mao. 2013. JITSafe: a framework against Just-in-time spraying attacks. IET Information Security 7, 4 (dec 2013), 283–292.Google ScholarGoogle ScholarCross RefCross Ref
  9. Stephen Crane, Christopher Liebchen, Andrei Homescu, Lucas Davi, Per Larsen, Ahmad-Reza Sadeghi, Stefan Brunthaler, and Michael Franz. 2015. Readactor: Practical Code Randomization Resilient to Memory Disclosure. In IEEE Symposium on Security and Privacy.Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Ron Cytron, Jeanne Ferrante, Barry K. Rosen, Mark N. Wegman, and F. Kenneth Zadeck. 1991. Efficiently computing static single assignment form and the control dependence graph. ACM Transactions on Programming Languages and Systems 13, 4 (oct 1991), 451–490.Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Gilles Duboscq, Thomas Würthinger, Lukas Stadler, Christian Wimmer, Doug Simon, and Hanspeter Mössenböck. 2013. An intermediate representation for speculative optimizations in a dynamic compiler. In ACM workshop on Virtual machines and intermediate languages. New York, New York, USA.Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. E C Fieller. 1954. Some Problems in Interval Estimation. Journal of the Royal Statistical Society. Series B (Methodological) 16, 2 (1954), 175–185.Google ScholarGoogle ScholarCross RefCross Ref
  13. Tommaso Frassetto, David Gens, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2017. JITGuard: Hardening Just-in-time Compilers with SGX. In ACM SIGSAC Conference on Computer and Communications Security.Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Robert Gawlik and Thorsten Holz. 2018. SoK: Make JIT-Spray Great Again. In USENIX Workshop on Offensive Technologies.Google ScholarGoogle Scholar
  15. Andrei Homescu, Stefan Brunthaler, Per Larsen, and Michael Franz. 2013. Librando: transparent code randomization for just-in-time compilers. In ACM SIGSAC Conference on Computer & Communications security.Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Martin Jauernig, Matthias Neugschwandtner, Christian Platzer, and Paolo Milani Comparetti. 2014. Lobotomy: An Architecture for JIT Spraying Mitigation. In International Conference on Availability, Reliability and Security.Google ScholarGoogle Scholar
  17. Vladimir Kozlov. [n.d.]. JDK-7072317. https://bugs.openjdk.java.net/browse/JDK-7072317Google ScholarGoogle Scholar
  18. Per Larsen, Andrei Homescu, Stefan Brunthaler, and Michael Franz. 2014. SoK: Automated Software Diversity. In IEEE Symposium on Security and Privacy.Google ScholarGoogle Scholar
  19. Wilson Lian, Hovav Shacham, and Stefan Savage. 2015. Too LeJIT to Quit: Extending JIT Spraying to ARM. In Network and Distributed System Security Symposium.Google ScholarGoogle ScholarCross RefCross Ref
  20. Wilson Lian, Hovav Shacham, and Stefan Savage. 2017. A Call to ARMs: Understanding the Costs and Benefits of JIT Spraying Mitigations. In Network and Distributed System Security Symposium.Google ScholarGoogle ScholarCross RefCross Ref
  21. Giorgi Maisuradze, Michael Backes, and Christian Rossow. 2016. What Cannot be Read, Cannot be Leveraged? Revisiting Assumptions of JIT-ROP Defenses. In USENIX Security Symposium.Google ScholarGoogle Scholar
  22. Giorgi Maisuradze, Michael Backes, and Christian Rossow. 2017. Dachshund: Digging for and Securing (Non-)Blinded Constants in JIT Code. In Network and Distributed System Security Symposium.Google ScholarGoogle Scholar
  23. Microsoft. [n. d.]. Super Duper Secure Mode. https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/Google ScholarGoogle Scholar
  24. Aleksandar Prokopec, Andrea Rosà, David Leopoldseder, Gilles Duboscq, Petr Tůma, Martin Studener, Lubomír Bulej, Yudi Zheng, Alex Villazón, Doug Simon, Thomas Würthinger, and Walter Binder. 2019. Renaissance: Benchmarking Suite for Parallel Applications on the JVM. In ACM SIGPLAN Conference on Programming Language Design and Implementation.Google ScholarGoogle Scholar
  25. Elena Reshetova, Filippo Bonazzi, and N Asokan. 2016. Randomization can’t stop BPF JIT spray. In Black Hat USA.Google ScholarGoogle Scholar
  26. Chris Rohlf and Yan Ivnitskiy. 2011. Attacking clientside JIT compilers. In Black Hat USA.Google ScholarGoogle Scholar
  27. B. K. Rosen, M. N. Wegman, and F. K. Zadeck. 1988. Global value numbers and redundant computations. In ACM SIGPLAN-SIGACT symposium on Principles of programming languages – POPL ’88.Google ScholarGoogle Scholar
  28. Takahiro Shinagawa, Yuki Suzuki, Tomoyuki Nakayama, and Masanori Misono. 2

Read More

Tags:
0Likes
Leave a comment

Leave a comment

In the Shadows of Innovation”

© 2025 HackTech.info. All Rights Reserved.

Sign Up to Our Newsletter

Be the first to know the latest updates

Whoops, you're not connected to Mailchimp. You need to enter a valid Mailchimp API key.