UC San Diego

Just-in-Time compilers offer substantial runtime performance benefits over traditional execution methods like interpretation; and they have enjoyed widespread deployment in the JavaScript engines found in nearly all modern web browsers. Unfortunately, security has taken the back seat to performance in many JIT compilers, despite the often untrusted nature of their inputs and the tremendous privilege that they have been granted to generate machine code on the fly. While the concerns regarding performance are understandable, the threat posed by blind JIT spraying has been underestimated.

In this dissertation, we demonstrate the feasibility of blind JIT spraying on the ARM architecture against three modern JavaScript engines, despite many restrictions imposed by ARM such as coarse-grained instruction boundaries and limited space for encoding immediate operands. We find that useful instruction decoding ambiguity can be leveraged to create a blind JIT spraying payload using either intended ARM or Thumb instructions. Furthermore, we demonstrate that instruction decoding ambiguity is not necessary in the construction of a blind JIT spraying payload. We also introduce a technique for abusing JIT sprayed code called gadget chaining, which enables an attacker to exploit even limited control over JIT code.

To better understand the state of JIT spraying mitigation research and deployment, we survey the literature and examine four open source JavaScript engines several years after the debut of JIT spraying on x86. We find that all four engines cut corners in their implementations—often quite egregiously—in the name of reducing performance overhead.

In order to form a consolidated picture of the costs and benefits of diversification defenses, we implement five diversification defenses, without cutting corners, on the SpiderMonkey JavaScript engine for 32-bit ARM and x86-64 and empirically evaluate their overheads across a consistent set of benchmarks and hardware. We find that all five diversification defenses can be deployed in tandem with reasonable security parameters at a runtime overhead cost of <5%. Our analysis of the diversification defenses indicates that, in combination, they provide effective mitigation of the blind JIT spraying threat for less overhead than other effective options.