skip to main content
10.1145/3133956.3134037acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

JITGuard: Hardening Just-in-time Compilers with SGX

Published:30 October 2017Publication History

ABSTRACT

Memory-corruption vulnerabilities pose a serious threat to modern computer security. Attackers exploit these vulnerabilities to manipulate code and data of vulnerable applications to generate malicious behavior by means of code-injection and code-reuse attacks. Researchers already demonstrated the power of data-only attacks by disclosing secret data such as cryptographic keys in the past. A large body of literature has investigated defenses against code-injection, code-reuse, and data-only attacks. Unfortunately, most of these defenses are tailored towards statically generated code and their adaption to dynamic code comes with the price of security or performance penalties. However, many common applications, like browsers and document viewers, embed just-in-time compilers to generate dynamic code. The contribution of this paper is twofold: first, we propose a generic data-only attack against JIT compilers, dubbed DOJITA. In contrast to previous data-only attacks that aimed at disclosing secret data, DOJITA enables arbitrary code-execution. Second, we propose JITGuard, a novel defense to mitigate code-injection, code-reuse, and data-only attacks against just-in-time compilers (including DOJITA). JITGuard utilizes Intel's Software Guard Extensions (SGX) to provide a secure environment for emitting the dynamic code to a secret region, which is only known to the JIT compiler, and hence, inaccessible to the attacker. Our proposal is the first solution leveraging SGX to protect the security critical JIT compiler operations, and tackles a number of difficult challenges. As proof of concept we implemented JITGuard for Firefox's JIT compiler SpiderMonkey. Our evaluation shows reasonable overhead of 9.8% for common benchmarks.

Skip Supplemental Material Section

Supplemental Material

tommasofrassetto-jitguard.mp4

References

  1. Mart'ın Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti 2005. Control-flow integrity. In ACM SIGSAC Conference on Computer and Communications Security (CCS).Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Aleph One. 2000. Smashing the Stack for Fun and Profit. Phrack Magazine Vol. 49 (2000).Google ScholarGoogle Scholar
  3. Jason Ansel, Petr Marchenko, Úlfar Erlingsson, Elijah Taylor, Brad Chen, Derek L. Schuff, David Sehr, Cliff Biffle, and Bennet Yee 2011. Language-independent sandboxing of just-in-time compilation and self-modifying code 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI).Google ScholarGoogle Scholar
  4. Michalis Athanasakis, Elias Athanasopoulos, Michalis Polychronakis, Georgios Portokalidis, and Sotiris Ioannidis 2015. The Devil is in the Constants: Bypassing Defenses in Browser JIT Engines 22nd Annual Network and Distributed System Security Symposium (NDSS).Google ScholarGoogle Scholar
  5. Michael Backes, Thorsten Holz, Benjamin Kollenda, Philipp Koppe, Stefan Nürnberger, and Jannik Pewny 2014. You Can Run but You Can't Read: Preventing Disclosure Exploits in Executable Code ACM SIGSAC Conference on Computer and Communications Security (CCS).Google ScholarGoogle Scholar
  6. Dion Blazakis. 2010. Interpreter exploitation: Pointer inference and JIT spraying Blackhat DC (BH DC).Google ScholarGoogle Scholar
  7. Kjell Braden, Stephen Crane, Lucas Davi, Michael Franz, Per Larsen, Christopher Liebchen, and Ahmad-Reza Sadeghi 2016. Leakage-Resilient Layout Randomization for Mobile Devices 23rd Annual Network and Distributed System Security Symposium (NDSS).Google ScholarGoogle Scholar
  8. Nicolas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross 2015. Control-Flow Bending: On the Effectiveness of Control-Flow Integrity 24th USENIX Security Symposium (USENIX Sec).Google ScholarGoogle Scholar
  9. Nicholas Carlini and David Wagner 2014. ROP is Still Dangerous: Breaking Modern Defenses 23rd USENIX Security Symposium (USENIX Sec).Google ScholarGoogle Scholar
  10. Miguel Castro, Manuel Costa, and Tim Harris 2006. Securing Software by Enforcing Data-flow Integrity 7th USENIX Symposium on Operating Systems Design and Implementation (OSDI).Google ScholarGoogle Scholar
  11. Ping Chen, Yi Fang, Bing Mao, and Li Xie. 2011. JITDefender: A Defense against JIT Spraying Attacks 26th International Information Security Conference (IFIP).Google ScholarGoogle Scholar
  12. P. Chen, R. Wu, and B. Mao 2013. JITSafe: a framework against Just-in-time spraying attacks. IET Information Security Vol. 7, 4 (2013). Google ScholarGoogle ScholarCross RefCross Ref
  13. Shuo Chen, Jun Xu, Emre Can Sezer, Prachi Gauriar, and Ravishankar K Iyer 2005. Non-Control-Data Attacks Are Realistic Threats.. 14th USENIX Security Symposium (USENIX Sec).Google ScholarGoogle Scholar
  14. Mauro Conti, Stephen Crane, Lucas Davi, Michael Franz, Per Larsen, Christopher Liebchen, Marco Negro, Mohaned Qunaibit, and Ahmad-Reza Sadeghi 2015. Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks ACM SIGSAC Conference on Computer and Communications Security (CCS).Google ScholarGoogle Scholar
  15. Jonathan Corbet. 2012. Yet another new approach to seccomp. https://lwn.net/Articles/475043/. (2012).Google ScholarGoogle Scholar
  16. Stephen Crane, Christopher Liebchen, Andrei Homescu, Lucas Davi, Per Larsen, Ahmad-Reza Sadeghi, Stefan Brunthaler, and Michael Franz. 2015. Readactor: Practical Code Randomization Resilient to Memory Disclosure 36th IEEE Symposium on Security and Privacy (S&P).Google ScholarGoogle Scholar
  17. Stephen Crane, Stijn Volckaert, Felix Schuster, Christopher Liebchen, Per Larsen, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz, Bjorn De Sutter, and Michael Franz. 2015. It's a TRaP: Table Randomization and Protection against Function-Reuse Attacks ACM SIGSAC Conference on Computer and Communications Security (CCS).Google ScholarGoogle Scholar
  18. Lucas Davi, Christopher Liebchen, Ahmad-Reza Sadeghi, Kevin Z. Snow, and Fabian Monrose. 2015. Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming 22nd Annual Network and Distributed System Security Symposium (NDSS).Google ScholarGoogle Scholar
  19. Lucas Davi, Ahmad-Reza Sadeghi, Daniel Lehmann, and Fabian Monrose 2014. Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection. In 23rd USENIX Security Symposium (USENIX Sec).Google ScholarGoogle Scholar
  20. Isaac Evans, Samuel Fingeret, Julian Gonzalez, Ulziibayar Otgonbaatar, Tiffany Tang, Howard Shrobe, Stelios Sidiroglou-Douskos, Martin Rinard, and Hamed Okhravi. 2015. Missing the Point(er): On the Effectiveness of Code Pointer Integrity 36th IEEE Symposium on Security and Privacy (S&P).Google ScholarGoogle Scholar
  21. Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howeard Shrobe, Martin Rinard, Hamed Okhravi, and Stelios Sidiroglou-Douskos. 2015. Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity ACM SIGSAC Conference on Computer and Communications Security (CCS).Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Roger Faulkner and Ron Gomes 1991. The Process File System and Process Model in UNIX System V. USENIX Technical Conference (ATC).Google ScholarGoogle Scholar
  23. Robert Gawlik, Benjamin Kollenda, Philipp Koppe, Behrad Garmany, and Thorsten Holz 2016. Enabling client-side crash-resistance to overcome diversification and information hiding. 23rd Annual Network and Distributed System Security Symposium (NDSS). Google ScholarGoogle ScholarCross RefCross Ref
  24. Jason Gionta, William Enck, and Peng Ning 2015. HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities. In 5th ACM Conference on Data and Application Security and Privacy (CODASPY). Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Enes Göktas, Elias Athanasopoulos, Herbert Bos, and Georgios Portokalidis 2014. Out of Control: Overcoming Control-Flow Integrity. 35th IEEE Symposium on Security and Privacy (S&P).Google ScholarGoogle Scholar
  26. Enes Göktas, Elias Athanasopoulos, Michalis Polychronakis, Herbert Bos, and Georgios Portokalidis 2014. Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attacks is Hard 23rd USENIX Security Symposium (USENIX Sec).Google ScholarGoogle Scholar
  27. Ian Goldberg, David Wagner, Randi Thomas, and Eric A. Brewer 1996. A Secure Environment for Untrusted Helper Applications 6th USENIX Security Symposium (USENIX Sec).Google ScholarGoogle Scholar
  28. Guang Gong. 2016. Pwn a Nexus Device With a Single Vulnerability. https://cansecwest.com/slides/2016/CSW2016_Gong_Pwn_a_Nexus_device_with_a_single_vulnerability.pdf. (2016).Google ScholarGoogle Scholar
  29. Andrei Homescu, Stefan Brunthaler, Per Larsen, and Michael Franz 2013. Librando: transparent code randomization for just-in-time compilers ACM SIGSAC Conference on Computer and Communications Security (CCS).Google ScholarGoogle Scholar
  30. Hong Hu, Shweta Shinde, Adrian Sendroiu, Zheng Leong Chua, Prateek Saxena, and Zhenkai Liang. 2016. Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks 37th IEEE Symposium on Security and Privacy (S&P).Google ScholarGoogle Scholar
  31. Intel 2016. Control-flow Enforcement Technology Preview. https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf. (2016).Google ScholarGoogle Scholar
  32. Intel 2016. Intel Software Guard Extensions (Intel SGX). https://software.intel.com/en-us/sgx. (2016).Google ScholarGoogle Scholar
  33. Volodymyr Kuznetsov, Laszlo Szekeres, Mathias Payer, George Candea, R. Sekar, and Dawn Song 2014. Code-Pointer Integrity. In 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI).Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Per Larsen, Andrei Homescu, Stefan Brunthaler, and Michael Franz 2014. SoK: Automated Software Diversity. In 35th IEEE Symposium on Security and Privacy (S&P).Google ScholarGoogle Scholar
  35. Linux Foundation. 2014. This-CPU Operations. http://lxr.free-electrons.com/source/Documentation/this_cpu_ops.txt. (2014).Google ScholarGoogle Scholar
  36. Giorgi Maisuradze, Michael Backes, and Christian Rossow. 2016. What Cannot Be Read, Cannot Be Leveraged? Revisiting Assumptions of JIT-ROP Defenses 25th USENIX Security Symposium (USENIX Sec).Google ScholarGoogle Scholar
  37. Microsoft. 2006. Data Execution Prevention (DEP). http://support.microsoft.com/kb/875352/EN-US/. (2006).Google ScholarGoogle Scholar
  38. Microsoft. 2015. ChakraCore. https://github.com/Microsoft/ChakraCore. (2015).Google ScholarGoogle Scholar
  39. Microsoft. 2015. Control Flow Guard. http://msdn.microsoft.com/en-us/library/Dn919635.aspx. (2015).Google ScholarGoogle Scholar
  40. Matt Miller. 2017. Mitigating arbitrary native code execution in Microsoft Edge. https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution/. (2017).Google ScholarGoogle Scholar
  41. Mozilla 2015. W xor X JIT-code enabled in Firefox. https://jandemooij.nl/blog/2015/12/29/wx-jit-code-enabled-in-firefox. (2015).Google ScholarGoogle Scholar
  42. Mozilla 2016. JavaScript:New to SpiderMonkey. https://wiki.mozilla.org/JavaScript:New_to_SpiderMonkey#Benchmark_your_changes. (2016).Google ScholarGoogle Scholar
  43. Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic 2009. SoftBound: Highly Compatible and Complete Spatial Memory Safety for C 30th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI).Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Santosh Nagarakatte, Jianzhou Zhao, Milo MK Martin, and Steve Zdancewic 2010. CETS: compiler enforced temporal safety for C. International Symposium on Memory Management (ISMM).Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Nergal 2001. The advanced return-into-lib(c) exploits: PaX case study. Phrack Magazine Vol. 11 (2001).Google ScholarGoogle Scholar
  46. Ben Niu and Gang Tan. 2014. Modular Control-flow Integrity. In 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI).Google ScholarGoogle Scholar
  47. Ben Niu and Gang Tan. 2014. RockJIT: Securing Just-In-Time Compilation Using Modular Control-Flow Integrity ACM SIGSAC Conference on Computer and Communications Security (CCS).Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. PaX 2003. PaX Address Space Layout Randomization. (2003).Google ScholarGoogle Scholar
  49. Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmad-Reza Sadeghi, and Thorsten Holz 2015. Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in CGoogle ScholarGoogle Scholar
  50. Applications. In 36th IEEE Symposium on Security and Privacy (S&P).Google ScholarGoogle Scholar
  51. Fermin J. Serna. 2012. The Info Leak Era on Software Exploitation. In Blackhat USA (BH US).Google ScholarGoogle Scholar
  52. Hovav Shacham. 2007. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In ACM SIGSAC Conference on Computer and Communications Security (CCS). Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. Kevin Z. Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, and Ahmad-Reza Sadeghi 2013. Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization 34th IEEE Symposium on Security and Privacy (S&P).Google ScholarGoogle Scholar
  54. K. Z. Snow, R. Rogowski, J. Werner, H. Koo, F. Monrose, and M. Polychronakis. 2016. Return to the Zombie Gadgets: Undermining Destructive Code Reads via Code Inference Attacks. In 37th IEEE Symposium on Security and Privacy (S&P).Google ScholarGoogle Scholar
  55. Chengyu Song, Chao Zhang, Tielei Wang, Wenke Lee, and David Melski 2015. Exploiting and Protecting Dynamic Code Generation. 22nd Annual Network and Distributed System Security Symposium (NDSS). Google ScholarGoogle ScholarCross RefCross Ref
  56. Adrian Tang, Simha Sethumadhavan, and Salvatore Stolfo. 2015. Heisenbyte: Thwarting Memory Disclosure Attacks using Destructive Code Reads ACM SIGSAC Conference on Computer and Communications Security (CCS).Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. The WebKit team. 2013. SunSpider 1.0.2. https://www.webkit.org/perf/sunspider/sunspider.html. (2013).Google ScholarGoogle Scholar
  58. Theori 2016. Chakra JIT CFG Bypass. http://theori.io/research/chakra-jit-cfg-bypass. (2016).Google ScholarGoogle Scholar
  59. Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, Úlfar Erlingsson, Luis Lozano, and Geoff Pike. 2014. Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM 23rd USENIX Security Symposium (USENIX Sec).Google ScholarGoogle Scholar
  60. Jan Werner, George Baltas, Rob Dallara, Nathan Otterness, Kevin Z. Snow, Fabian Monrose, and Michalis Polychronakis 2016. No-Execute-After-Read: Preventing Code Disclosure in Commodity Software 11th ACM Symposium on Information, Computer and Communications Security (ASIACCS). endthebibliographyGoogle ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. JITGuard: Hardening Just-in-time Compilers with SGX

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in
          • Published in

            cover image ACM Conferences
            CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security
            October 2017
            2682 pages
            ISBN:9781450349468
            DOI:10.1145/3133956

            Copyright © 2017 ACM

            Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

            Publisher

            Association for Computing Machinery

            New York, NY, United States

            Publication History

            • Published: 30 October 2017

            Permissions

            Request permissions about this article.

            Request Permissions

            Check for updates

            Qualifiers

            • research-article

            Acceptance Rates

            CCS '17 Paper Acceptance Rate151of836submissions,18%Overall Acceptance Rate1,261of6,999submissions,18%

            Upcoming Conference

            CCS '24
            ACM SIGSAC Conference on Computer and Communications Security
            October 14 - 18, 2024
            Salt Lake City , UT , USA

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader