RockJIT: Securing Just-In-Time Compilation Using Modular Control-Flow Integrity

Managed languages such as JavaScript are popular. For performance, modern implementations of managed languages adopt Just-In-Time (JIT) compilation. The danger to a JIT compiler is that an attacker can often control the input program and use it to trigger a vulnerability in the JIT compiler to launch code injection or JIT spraying attacks. In this paper, we propose a general approach called RockJIT to securing JIT compilers through Control-Flow Integrity (CFI). RockJIT builds a fine-grained control-flow graph from the source code of the JIT compiler and dynamically updates the control-flow policy when new code is generated on the fly. Through evaluation on Google's V8 JavaScript engine, we demonstrate that RockJIT can enforce strong security on a JIT compiler, while incurring only modest performance overhead (14.6% on V8) and requiring a small amount of changes to V8's code. Key contributions of RockJIT are a general architecture for securing JIT compilers and a method for generating fine-grained control-flow graphs from C++ code.

[1]  Edward Fredkin,et al.  Trie memory , 1960, Commun. ACM.

[2]  Miguel Castro,et al.  Preventing Memory Error Exploits with WIT , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[3]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[4]  V. Rich Personal communication , 1989, Nature.

[5]  Rui Wu,et al.  RIM: A Method to Defend from JIT Spraying Attack , 2012, 2012 Seventh International Conference on Availability, Reliability and Security.

[6]  Stephen McCamant,et al.  Evaluating SFI for a CISC Architecture , 2006, USENIX Security Symposium.

[7]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[8]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[9]  Philip Wadler,et al.  Views: a way for pattern matching to cohabit with data abstraction , 1987, POPL '87.

[10]  Rui Wu,et al.  JITSafe: a framework against Just-in-time spraying attacks , 2013, IET Inf. Secur..

[11]  Joseph Tassarotti,et al.  RockSalt: better, faster, stronger SFI for the x86 , 2012, PLDI.

[12]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[13]  L. Peter Deutsch,et al.  Efficient implementation of the smalltalk-80 system , 1984, POPL.

[14]  Sorin Lerner,et al.  SafeDispatch: Securing C++ Virtual Calls from Memory Corruption Attacks , 2014, NDSS.

[15]  Lei Duan,et al.  INSeRT: Protect Dynamic Code Generation against spraying , 2011, International Conference on Information Science and Technology.

[16]  Daniel Gooch,et al.  Communications of the ACM , 2011, XRDS.

[17]  Zhi Wang,et al.  HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity , 2010, 2010 IEEE Symposium on Security and Privacy.

[18]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[19]  Per Larsen,et al.  Librando: transparent code randomization for just-in-time compilers , 2013, CCS.

[20]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[21]  Yi Fang,et al.  JITDefender: A Defense against JIT Spraying Attacks , 2011, SEC.

[22]  Ahmad-Reza Sadeghi,et al.  MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones , 2012, NDSS.

[23]  Úlfar Erlingsson,et al.  Language-independent sandboxing of just-in-time compilation and self-modifying code , 2011, PLDI '11.

[24]  David Grove,et al.  Optimization of Object-Oriented Programs Using Static Class Hierarchy Analysis , 1995, ECOOP.

[25]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[26]  Craig Chambers,et al.  Optimizing Dynamically-Typed Object-Oriented Languages With Polymorphic Inline Caches , 1991, ECOOP.

[27]  Thorsten Holz,et al.  Control-flow restrictor: compiler-based CFI for iOS , 2013, ACSAC.

[28]  David A. Wagner,et al.  ROP is Still Dangerous: Breaking Modern Defenses , 2014, USENIX Security Symposium.

[29]  Bennet S. Yee,et al.  Adapting Software Fault Isolation to Contemporary CPU Architectures , 2010, USENIX Security Symposium.

[30]  Ben Niu,et al.  Monitor integrity protection with space efficiency and separate compilation , 2013, CCS.

[31]  Craig Chambers,et al.  Debugging optimized code with dynamic deoptimization , 1992, PLDI '92.

[32]  Stefan Katzenbeisser,et al.  Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security , 2016, CCS.

[33]  Dionysus Blazakis Interpreter Exploitation , 2010, WOOT.

[34]  Mathias Payer,et al.  Control-Flow Integrity , 2017, ACM Comput. Surv..

[35]  Ben Niu,et al.  Modular control-flow integrity , 2014, PLDI.

[36]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.