Abstract:Data-only attacks against dynamic scripting environments have become common. Web browsers and other modern applications embed scripting engines to support interactive content. The scripting engines optimize performance via just-intime compilation. Since applications are increasingly hardened against code-reuse attacks, adversaries are looking to achieve code execution or elevate privileges by corrupting sensitive data like the intermediate representation of optimizing JIT compilers. This has inspired numerous … Show more
“…Finally, data-only attacks are forcing the JIT compiler to generate malicious code by corrupting the JIT intermediate representation [5] or bytecodes [6], bypassing protections over JIT code and forcing the JIT compiler in generating the payload.…”
Section: Data-onlymentioning
confidence: 99%
“…JITGuard [5] consists of an isolation of the compilation and execution processes of JIT code set up through hardware-based trusted execution environments (namely Intel SGX). NoJITsu [6] locks each critical object in the VM with keys and restricted permissions. Hardware-enforced memory isolation stands out in both cases as the solution that provides the less performance overhead and a way to refine isolation if needed in the future.…”
Language Virtual Machines (VM) need to be extremely efficient and hence use complex engines such as a JIT compiler to speed up the usual bytecode interpretation loop. Their usage of low-level and security-critical tasks make them targets of choice. Enforcing low-cost fine-grained memory isolation has been an important research focus as a countermeasure to the most advanced JIT attacks. Memory isolation splits the components of an application with controlled communication and verified access to other resources. We present how custom instructions linked to hardware-enforced domain-checking could protect JIT code and data. We present incremental solutions and their corresponding custom instructions. The generated machine code and extended RISC-V Rocket come at a low-cost both in performance and intrusiveness.
“…Finally, data-only attacks are forcing the JIT compiler to generate malicious code by corrupting the JIT intermediate representation [5] or bytecodes [6], bypassing protections over JIT code and forcing the JIT compiler in generating the payload.…”
Section: Data-onlymentioning
confidence: 99%
“…JITGuard [5] consists of an isolation of the compilation and execution processes of JIT code set up through hardware-based trusted execution environments (namely Intel SGX). NoJITsu [6] locks each critical object in the VM with keys and restricted permissions. Hardware-enforced memory isolation stands out in both cases as the solution that provides the less performance overhead and a way to refine isolation if needed in the future.…”
Language Virtual Machines (VM) need to be extremely efficient and hence use complex engines such as a JIT compiler to speed up the usual bytecode interpretation loop. Their usage of low-level and security-critical tasks make them targets of choice. Enforcing low-cost fine-grained memory isolation has been an important research focus as a countermeasure to the most advanced JIT attacks. Memory isolation splits the components of an application with controlled communication and verified access to other resources. We present how custom instructions linked to hardware-enforced domain-checking could protect JIT code and data. We present incremental solutions and their corresponding custom instructions. The generated machine code and extended RISC-V Rocket come at a low-cost both in performance and intrusiveness.
“…Trusted code is then allowed to access both domains, whereas untrusted code can only access the untrusted domain. Furthermore, researchers have used PKU to harden JavaScript engines [59], reinforce other exploit mitigations [17,19,34,45], and provide software abstractions for isolation and sandboxing [58]. PKU can also be used to implement eXecute-Only Memory (XOM).…”
Memory Protection Keys for Userspace (PKU) is a recent hardware feature that allows programs to assign virtual memory pages to protection domains, and to change domain access permissions using inexpensive, unprivileged instructions. Several in-process memory isolation approaches leverage this feature to prevent untrusted code from accessing sensitive program state and data. Typically, PKU-based isolation schemes need to be used in conjunction with mitigations such as CFI because untrusted code, when compromised, can otherwise bypass the PKU access permissions using unprivileged instructions or operating system APIs.Recently, researchers proposed fully self-contained PKUbased memory isolation schemes that do not rely on other mitigations. These systems use exploit-proof call gates to transfer control between trusted and untrusted code, as well as a sandbox that prevents tampering with the PKU infrastructure from untrusted code.In this paper, we show that these solutions are not complete. We first develop two proof-of-concept attacks against a state-of-the-art PKU-based memory isolation scheme. We then present Cerberus, a PKU-based sandboxing framework that can overcome limitations of existing sandboxes. We apply Cerberus to several memory isolation schemes, and show that it is practical, efficient, and secure.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.