HOME

TheInfoList



Click Here for Items Related To - JIT Spraying
OR:
JIT Spraying on:   [Wikipedia]   [Google]   [Amazon]

JIT spraying is a class of
computer security exploit An exploit (from the English verb ''to exploit'', meaning "to use something to one’s own advantage") is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanti ...
that circumvents the protection of address space layout randomization (ASLR) and
data execution prevention In computer security, executable-space protection marks memory regions as non-executable, such that an attempt to execute machine code in these regions will cause an exception. It makes use of hardware features such as the NX bit (no-execute bit ...
(DEP) by exploiting the behavior of just-in-time compilation. It has been used to exploit the
PDF Portable Document Format (PDF), standardized as ISO 32000, is a file format developed by Adobe in 1992 to present documents, including text formatting and images, in a manner independent of application software, hardware, and operating systems. ...
format and
Adobe Flash Adobe Flash (formerly Macromedia Flash and FutureSplash) is a multimedia Computing platform, software platform used for production of Flash animation, animations, rich web applications, application software, desktop applications, mobile apps, mo ...
. A
just-in-time compiler In computing, just-in-time (JIT) compilation (also dynamic translation or run-time compilations) is a way of executing computer code that involves compilation during execution of a program (at run time) rather than before execution. This may cons ...
(JIT) by definition produces code as its data. Since the purpose is to produce executable data, a JIT compiler is one of the few types of programs that can not be run in a no-executable-data environment. Because of this, JIT compilers are normally exempt from data execution prevention. A JIT spray attack does
heap spraying In computer security, heap spraying is a technique used in exploits to facilitate arbitrary code execution. The part of the source code of an exploit that implements this technique is called a heap spray. In general, code that ''sprays the heap'' a ...
with the generated code. To produce exploit code from JIT, an idea from Dion Blazakis; is used. The input program, usually
JavaScript JavaScript (), often abbreviated as JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. As of 2022, 98% of Website, websites use JavaScript on the Client (computing), client side ...
or
ActionScript ActionScript is an object-oriented programming language originally developed by Macromedia Inc. (later acquired by Adobe). It is influenced by HyperTalk, the scripting language for HyperCard. It is now an implementation of ECMAScript (meaning i ...
, typically contains numerous constant values that can be erroneously executed as code. For example, the
XOR Exclusive or or exclusive disjunction is a logical operation that is true if and only if its arguments differ (one is true, the other is false). It is symbolized by the prefix operator J and by the infix operators XOR ( or ), EOR, EXOR, , ...
operation could be used:Writing JIT-Spray Shellcode for fun and profit
Alexey Sintsov, var a = (0x11223344^0x44332211^0x44332211^ ...); JIT then will transform bytecode to native x86 code like: 0: b8 44 33 22 11 5: 35 11 22 33 44 a: 35 11 22 33 44 The attacker then uses a suitable bug to redirect code execution into the newly generated code. For example, a buffer overflow or
use after free Dangling pointers and wild pointers in computer programming are pointers that do not point to a valid object of the appropriate type. These are special cases of memory safety violations. More generally, dangling references and wild references are ...
bug could allow the attack to modify a function pointer or return address. This causes the CPU to execute instructions in a way that was unintended by the JIT authors. The attacker is usually not even limited to the expected instruction boundaries; it is possible to jump into the middle of an intended instruction to have the CPU interpret it as something else. As with non-JIT ROP attacks, this may be enough operations to usefully take control of the computer. Continuing the above example, jumping to the second byte of the "mov" instruction results in an "inc" instruction: 1: 44 2: 33 22 4: 11 35 11 22 33 44 a: 35 11 22 33 44 Computer hardware that allows jumping into the middle of an instruction includes
x86 x86 (also known as 80x86 or the 8086 family) is a family of complex instruction set computer (CISC) instruction set architectures initially developed by Intel based on the Intel 8086 microprocessor and its 8088 variant. The 8086 was introd ...
,
x86-64 x86-64 (also known as x64, x86_64, AMD64, and Intel 64) is a 64-bit version of the x86 instruction set, first released in 1999. It introduced two new modes of operation, 64-bit mode and compatibility mode, along with a new 4-level paging mod ...
, and ARM. Although especially effective on this type of hardware, JIT spraying works on other systems as well. To protect against JIT spraying, the JIT code can be disabled or made less predictable for the attacker.


References

Computer security exploits {{computer-security-stub