JITGuard: Hardening Just-in-time Compilers with SGX

Memory-corruption vulnerabilities pose a serious threat to modern computer security. Attackers exploit these vulnerabilities to manipulate code and data of vulnerable applications to generate malicious behavior by means of code-injection and code-reuse attacks. Researchers already demonstrated the power of data-only attacks by disclosing secret data such as cryptographic keys in the past. A large body of literature has investigated defenses against code-injection, code-reuse, and data-only attacks. Unfortunately, most of these defenses are tailored towards statically generated code and their adaption to dynamic code comes with the price of security or performance penalties. However, many common applications, like browsers and document viewers, embed just-in-time compilers to generate dynamic code. The contribution of this paper is twofold: first, we propose a generic data-only attack against JIT compilers, dubbed DOJITA. In contrast to previous data-only attacks that aimed at disclosing secret data, DOJITA enables arbitrary code-execution. Second, we propose JITGuard, a novel defense to mitigate code-injection, code-reuse, and data-only attacks against just-in-time compilers (including DOJITA). JITGuard utilizes Intel's Software Guard Extensions (SGX) to provide a secure environment for emitting the dynamic code to a secret region, which is only known to the JIT compiler, and hence, inaccessible to the attacker. Our proposal is the first solution leveraging SGX to protect the security critical JIT compiler operations, and tackles a number of difficult challenges. As proof of concept we implemented JITGuard for Firefox's JIT compiler SpiderMonkey. Our evaluation shows reasonable overhead of 9.8% for common benchmarks.

[1]  Michalis Polychronakis,et al.  No-Execute-After-Read: Preventing Code Disclosure in Commodity Software , 2016, AsiaCCS.

[2]  Sotiris Ioannidis,et al.  The Devil is in the Constants: Bypassing Defenses in Browser JIT Engines , 2015, NDSS.

[3]  Herbert Bos,et al.  Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attacks is Hard , 2014, USENIX Security Symposium.

[4]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[5]  Per Larsen,et al.  SoK: Automated Software Diversity , 2014, 2014 IEEE Symposium on Security and Privacy.

[6]  Per Larsen,et al.  It's a TRaP: Table Randomization and Protection against Function-Reuse Attacks , 2015, CCS.

[7]  Ahmad-Reza Sadeghi,et al.  Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming , 2015, NDSS.

[8]  Ahmad-Reza Sadeghi,et al.  Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications , 2015, 2015 IEEE Symposium on Security and Privacy.

[9]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[10]  Zhenkai Liang,et al.  Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[11]  Chao Zhang,et al.  Exploiting and Protecting Dynamic Code Generation , 2015, NDSS.

[12]  Miguel Castro,et al.  Securing software by enforcing data-flow integrity , 2006, OSDI '06.

[13]  Salvatore J. Stolfo,et al.  Heisenbyte: Thwarting Memory Disclosure Attacks using Destructive Code Reads , 2015, CCS.

[14]  Michalis Polychronakis,et al.  Return to the Zombie Gadgets: Undermining Destructive Code Reads via Code Inference Attacks , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[15]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[16]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[17]  Úlfar Erlingsson,et al.  Language-independent sandboxing of just-in-time compilation and self-modifying code , 2011, PLDI '11.

[18]  Rui Wu,et al.  JITSafe: a framework against Just-in-time spraying attacks , 2013, IET Inf. Secur..

[19]  Per Larsen,et al.  Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks , 2015, CCS.

[20]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[21]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[22]  Per Larsen,et al.  Librando: transparent code randomization for just-in-time compilers , 2013, CCS.

[23]  Fan Long,et al.  Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity , 2015, CCS.

[24]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[25]  Michael Backes,et al.  You Can Run but You Can't Read: Preventing Disclosure Exploits in Executable Code , 2014, CCS.

[26]  Per Larsen,et al.  Leakage-Resilient Layout Randomization for Mobile Devices , 2016, NDSS.

[27]  Peng Ning,et al.  HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities , 2015, CODASPY.

[28]  David A. Wagner,et al.  A Secure Environment for Untrusted Helper Applications , 1996, USENIX Security Symposium.

[29]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[30]  Michael Backes,et al.  What Cannot Be Read, Cannot Be Leveraged? Revisiting Assumptions of JIT-ROP Defenses , 2016, USENIX Security Symposium.

[31]  Roger Faulkner,et al.  The Process File System and Process Model in UNIX System V , 1991, USENIX Winter.

[32]  David A. Wagner,et al.  Control-Flow Bending: On the Effectiveness of Control-Flow Integrity , 2015, USENIX Security Symposium.

[33]  Per Larsen,et al.  Readactor: Practical Code Randomization Resilient to Memory Disclosure , 2015, 2015 IEEE Symposium on Security and Privacy.

[34]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[35]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[36]  David A. Wagner,et al.  ROP is Still Dangerous: Breaking Modern Defenses , 2014, USENIX Security Symposium.

[37]  Stelios Sidiroglou,et al.  Missing the Point(er): On the Effectiveness of Code Pointer Integrity , 2015, 2015 IEEE Symposium on Security and Privacy.

[38]  Thorsten Holz,et al.  Enabling Client-Side Crash-Resistance to Overcome Diversification and Information Hiding , 2016, NDSS.

[39]  Ben Niu,et al.  RockJIT: Securing Just-In-Time Compilation Using Modular Control-Flow Integrity , 2014, CCS.

[40]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[41]  Yi Fang,et al.  JITDefender: A Defense against JIT Spraying Attacks , 2011, SEC.

[42]  Ben Niu,et al.  Modular control-flow integrity , 2014, PLDI.