On the Weakness of Constant Blinding PRNG in Flash Player

Constant blinding is considered an effective mitigation against JIT spray attacks. In this paper, we study the design and implementation of constant blinding mechanism in Flash Player and analyse the weakness in its pseudo random number generator (PRNG). We demonstrate how such weakness can be exploited to recover the seed value in PRNG, thus bypass the constant blinding in Flash Player.

[1]  Lucas Davi,et al.  ROPdefender: a detection tool to defend against return-oriented programming attacks , 2011, ASIACCS '11.

[2]  Lei Duan,et al.  INSeRT: Protect Dynamic Code Generation against spraying , 2011, International Conference on Information Science and Technology.

[3]  Rui Wu,et al.  RIM: A Method to Defend from JIT Spraying Attack , 2012, 2012 Seventh International Conference on Availability, Reliability and Security.

[4]  Chao Zhang,et al.  Exploiting and Protecting Dynamic Code Generation , 2015, NDSS.

[5]  Leyla Bilge,et al.  G-Free: defeating return-oriented programming through gadget-less binaries , 2010, ACSAC '10.

[6]  Marco Ramilli,et al.  Return-Oriented Programming , 2012, IEEE Security & Privacy.

[7]  Ben Niu,et al.  RockJIT: Securing Just-In-Time Compilation Using Modular Control-Flow Integrity , 2014, CCS.

[8]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[9]  Dionysus Blazakis Interpreter Exploitation , 2010, WOOT.

[10]  Rui Wu,et al.  JITSafe: a framework against Just-in-time spraying attacks , 2013, IET Inf. Secur..

[11]  Dong Hoon Lee,et al.  Predictability of Android OpenSSL's pseudo random number generator , 2013, CCS.

[12]  Gang-Ryung Uh,et al.  Analyzing Dynamic Binary Instrumentation Overhead , 2007 .

[13]  Michael Backes,et al.  What Cannot Be Read, Cannot Be Leveraged? Revisiting Assumptions of JIT-ROP Defenses , 2016, USENIX Security Symposium.

[14]  Sotiris Ioannidis,et al.  The Devil is in the Constants: Bypassing Defenses in Browser JIT Engines , 2015, NDSS.

[15]  Michael Backes,et al.  Dachshund: Digging for and Securing (Non-)Blinded Constants in JIT Code , 2017, NDSS.

[16]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[17]  Thorsten Holz,et al.  Enabling Client-Side Crash-Resistance to Overcome Diversification and Information Hiding , 2016, NDSS.

[18]  Xuxian Jiang,et al.  On the Expressiveness of Return-into-libc Attacks , 2011, RAID.

[19]  Eric Bodden,et al.  ROPocop - Dynamic Mitigation of Code-Reuse Attacks , 2016, J. Inf. Secur. Appl..

[20]  David Kaplan,et al.  Attacking the Linux PRNG On Android: Weaknesses in Seeding of Entropic Pools and Low Boot-Time Entropy , 2014, WOOT.