ABSTRACT
Memory-corruption vulnerabilities pose a serious threat to modern computer security. Attackers exploit these vulnerabilities to manipulate code and data of vulnerable applications to generate malicious behavior by means of code-injection and code-reuse attacks. Researchers already demonstrated the power of data-only attacks by disclosing secret data such as cryptographic keys in the past. A large body of literature has investigated defenses against code-injection, code-reuse, and data-only attacks. Unfortunately, most of these defenses are tailored towards statically generated code and their adaption to dynamic code comes with the price of security or performance penalties. However, many common applications, like browsers and document viewers, embed just-in-time compilers to generate dynamic code. The contribution of this paper is twofold: first, we propose a generic data-only attack against JIT compilers, dubbed DOJITA. In contrast to previous data-only attacks that aimed at disclosing secret data, DOJITA enables arbitrary code-execution. Second, we propose JITGuard, a novel defense to mitigate code-injection, code-reuse, and data-only attacks against just-in-time compilers (including DOJITA). JITGuard utilizes Intel's Software Guard Extensions (SGX) to provide a secure environment for emitting the dynamic code to a secret region, which is only known to the JIT compiler, and hence, inaccessible to the attacker. Our proposal is the first solution leveraging SGX to protect the security critical JIT compiler operations, and tackles a number of difficult challenges. As proof of concept we implemented JITGuard for Firefox's JIT compiler SpiderMonkey. Our evaluation shows reasonable overhead of 9.8% for common benchmarks.
Supplemental Material
- Mart'ın Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti 2005. Control-flow integrity. In ACM SIGSAC Conference on Computer and Communications Security (CCS).Google ScholarDigital Library
- Aleph One. 2000. Smashing the Stack for Fun and Profit. Phrack Magazine Vol. 49 (2000).Google Scholar
- Jason Ansel, Petr Marchenko, Úlfar Erlingsson, Elijah Taylor, Brad Chen, Derek L. Schuff, David Sehr, Cliff Biffle, and Bennet Yee 2011. Language-independent sandboxing of just-in-time compilation and self-modifying code 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI).Google Scholar
- Michalis Athanasakis, Elias Athanasopoulos, Michalis Polychronakis, Georgios Portokalidis, and Sotiris Ioannidis 2015. The Devil is in the Constants: Bypassing Defenses in Browser JIT Engines 22nd Annual Network and Distributed System Security Symposium (NDSS).Google Scholar
- Michael Backes, Thorsten Holz, Benjamin Kollenda, Philipp Koppe, Stefan Nürnberger, and Jannik Pewny 2014. You Can Run but You Can't Read: Preventing Disclosure Exploits in Executable Code ACM SIGSAC Conference on Computer and Communications Security (CCS).Google Scholar
- Dion Blazakis. 2010. Interpreter exploitation: Pointer inference and JIT spraying Blackhat DC (BH DC).Google Scholar
- Kjell Braden, Stephen Crane, Lucas Davi, Michael Franz, Per Larsen, Christopher Liebchen, and Ahmad-Reza Sadeghi 2016. Leakage-Resilient Layout Randomization for Mobile Devices 23rd Annual Network and Distributed System Security Symposium (NDSS).Google Scholar
- Nicolas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross 2015. Control-Flow Bending: On the Effectiveness of Control-Flow Integrity 24th USENIX Security Symposium (USENIX Sec).Google Scholar
- Nicholas Carlini and David Wagner 2014. ROP is Still Dangerous: Breaking Modern Defenses 23rd USENIX Security Symposium (USENIX Sec).Google Scholar
- Miguel Castro, Manuel Costa, and Tim Harris 2006. Securing Software by Enforcing Data-flow Integrity 7th USENIX Symposium on Operating Systems Design and Implementation (OSDI).Google Scholar
- Ping Chen, Yi Fang, Bing Mao, and Li Xie. 2011. JITDefender: A Defense against JIT Spraying Attacks 26th International Information Security Conference (IFIP).Google Scholar
- P. Chen, R. Wu, and B. Mao 2013. JITSafe: a framework against Just-in-time spraying attacks. IET Information Security Vol. 7, 4 (2013). Google ScholarCross Ref
- Shuo Chen, Jun Xu, Emre Can Sezer, Prachi Gauriar, and Ravishankar K Iyer 2005. Non-Control-Data Attacks Are Realistic Threats.. 14th USENIX Security Symposium (USENIX Sec).Google Scholar
- Mauro Conti, Stephen Crane, Lucas Davi, Michael Franz, Per Larsen, Christopher Liebchen, Marco Negro, Mohaned Qunaibit, and Ahmad-Reza Sadeghi 2015. Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks ACM SIGSAC Conference on Computer and Communications Security (CCS).Google Scholar
- Jonathan Corbet. 2012. Yet another new approach to seccomp. https://lwn.net/Articles/475043/. (2012).Google Scholar
- Stephen Crane, Christopher Liebchen, Andrei Homescu, Lucas Davi, Per Larsen, Ahmad-Reza Sadeghi, Stefan Brunthaler, and Michael Franz. 2015. Readactor: Practical Code Randomization Resilient to Memory Disclosure 36th IEEE Symposium on Security and Privacy (S&P).Google Scholar
- Stephen Crane, Stijn Volckaert, Felix Schuster, Christopher Liebchen, Per Larsen, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz, Bjorn De Sutter, and Michael Franz. 2015. It's a TRaP: Table Randomization and Protection against Function-Reuse Attacks ACM SIGSAC Conference on Computer and Communications Security (CCS).Google Scholar
- Lucas Davi, Christopher Liebchen, Ahmad-Reza Sadeghi, Kevin Z. Snow, and Fabian Monrose. 2015. Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming 22nd Annual Network and Distributed System Security Symposium (NDSS).Google Scholar
- Lucas Davi, Ahmad-Reza Sadeghi, Daniel Lehmann, and Fabian Monrose 2014. Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection. In 23rd USENIX Security Symposium (USENIX Sec).Google Scholar
- Isaac Evans, Samuel Fingeret, Julian Gonzalez, Ulziibayar Otgonbaatar, Tiffany Tang, Howard Shrobe, Stelios Sidiroglou-Douskos, Martin Rinard, and Hamed Okhravi. 2015. Missing the Point(er): On the Effectiveness of Code Pointer Integrity 36th IEEE Symposium on Security and Privacy (S&P).Google Scholar
- Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howeard Shrobe, Martin Rinard, Hamed Okhravi, and Stelios Sidiroglou-Douskos. 2015. Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity ACM SIGSAC Conference on Computer and Communications Security (CCS).Google ScholarDigital Library
- Roger Faulkner and Ron Gomes 1991. The Process File System and Process Model in UNIX System V. USENIX Technical Conference (ATC).Google Scholar
- Robert Gawlik, Benjamin Kollenda, Philipp Koppe, Behrad Garmany, and Thorsten Holz 2016. Enabling client-side crash-resistance to overcome diversification and information hiding. 23rd Annual Network and Distributed System Security Symposium (NDSS). Google ScholarCross Ref
- Jason Gionta, William Enck, and Peng Ning 2015. HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities. In 5th ACM Conference on Data and Application Security and Privacy (CODASPY). Google ScholarDigital Library
- Enes Göktas, Elias Athanasopoulos, Herbert Bos, and Georgios Portokalidis 2014. Out of Control: Overcoming Control-Flow Integrity. 35th IEEE Symposium on Security and Privacy (S&P).Google Scholar
- Enes Göktas, Elias Athanasopoulos, Michalis Polychronakis, Herbert Bos, and Georgios Portokalidis 2014. Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attacks is Hard 23rd USENIX Security Symposium (USENIX Sec).Google Scholar
- Ian Goldberg, David Wagner, Randi Thomas, and Eric A. Brewer 1996. A Secure Environment for Untrusted Helper Applications 6th USENIX Security Symposium (USENIX Sec).Google Scholar
- Guang Gong. 2016. Pwn a Nexus Device With a Single Vulnerability. https://cansecwest.com/slides/2016/CSW2016_Gong_Pwn_a_Nexus_device_with_a_single_vulnerability.pdf. (2016).Google Scholar
- Andrei Homescu, Stefan Brunthaler, Per Larsen, and Michael Franz 2013. Librando: transparent code randomization for just-in-time compilers ACM SIGSAC Conference on Computer and Communications Security (CCS).Google Scholar
- Hong Hu, Shweta Shinde, Adrian Sendroiu, Zheng Leong Chua, Prateek Saxena, and Zhenkai Liang. 2016. Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks 37th IEEE Symposium on Security and Privacy (S&P).Google Scholar
- Intel 2016. Control-flow Enforcement Technology Preview. https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf. (2016).Google Scholar
- Intel 2016. Intel Software Guard Extensions (Intel SGX). https://software.intel.com/en-us/sgx. (2016).Google Scholar
- Volodymyr Kuznetsov, Laszlo Szekeres, Mathias Payer, George Candea, R. Sekar, and Dawn Song 2014. Code-Pointer Integrity. In 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI).Google ScholarDigital Library
- Per Larsen, Andrei Homescu, Stefan Brunthaler, and Michael Franz 2014. SoK: Automated Software Diversity. In 35th IEEE Symposium on Security and Privacy (S&P).Google Scholar
- Linux Foundation. 2014. This-CPU Operations. http://lxr.free-electrons.com/source/Documentation/this_cpu_ops.txt. (2014).Google Scholar
- Giorgi Maisuradze, Michael Backes, and Christian Rossow. 2016. What Cannot Be Read, Cannot Be Leveraged? Revisiting Assumptions of JIT-ROP Defenses 25th USENIX Security Symposium (USENIX Sec).Google Scholar
- Microsoft. 2006. Data Execution Prevention (DEP). http://support.microsoft.com/kb/875352/EN-US/. (2006).Google Scholar
- Microsoft. 2015. ChakraCore. https://github.com/Microsoft/ChakraCore. (2015).Google Scholar
- Microsoft. 2015. Control Flow Guard. http://msdn.microsoft.com/en-us/library/Dn919635.aspx. (2015).Google Scholar
- Matt Miller. 2017. Mitigating arbitrary native code execution in Microsoft Edge. https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution/. (2017).Google Scholar
- Mozilla 2015. W xor X JIT-code enabled in Firefox. https://jandemooij.nl/blog/2015/12/29/wx-jit-code-enabled-in-firefox. (2015).Google Scholar
- Mozilla 2016. JavaScript:New to SpiderMonkey. https://wiki.mozilla.org/JavaScript:New_to_SpiderMonkey#Benchmark_your_changes. (2016).Google Scholar
- Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic 2009. SoftBound: Highly Compatible and Complete Spatial Memory Safety for C 30th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI).Google ScholarDigital Library
- Santosh Nagarakatte, Jianzhou Zhao, Milo MK Martin, and Steve Zdancewic 2010. CETS: compiler enforced temporal safety for C. International Symposium on Memory Management (ISMM).Google ScholarDigital Library
- Nergal 2001. The advanced return-into-lib(c) exploits: PaX case study. Phrack Magazine Vol. 11 (2001).Google Scholar
- Ben Niu and Gang Tan. 2014. Modular Control-flow Integrity. In 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI).Google Scholar
- Ben Niu and Gang Tan. 2014. RockJIT: Securing Just-In-Time Compilation Using Modular Control-Flow Integrity ACM SIGSAC Conference on Computer and Communications Security (CCS).Google ScholarDigital Library
- PaX 2003. PaX Address Space Layout Randomization. (2003).Google Scholar
- Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmad-Reza Sadeghi, and Thorsten Holz 2015. Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in CGoogle Scholar
- Applications. In 36th IEEE Symposium on Security and Privacy (S&P).Google Scholar
- Fermin J. Serna. 2012. The Info Leak Era on Software Exploitation. In Blackhat USA (BH US).Google Scholar
- Hovav Shacham. 2007. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In ACM SIGSAC Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Kevin Z. Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, and Ahmad-Reza Sadeghi 2013. Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization 34th IEEE Symposium on Security and Privacy (S&P).Google Scholar
- K. Z. Snow, R. Rogowski, J. Werner, H. Koo, F. Monrose, and M. Polychronakis. 2016. Return to the Zombie Gadgets: Undermining Destructive Code Reads via Code Inference Attacks. In 37th IEEE Symposium on Security and Privacy (S&P).Google Scholar
- Chengyu Song, Chao Zhang, Tielei Wang, Wenke Lee, and David Melski 2015. Exploiting and Protecting Dynamic Code Generation. 22nd Annual Network and Distributed System Security Symposium (NDSS). Google ScholarCross Ref
- Adrian Tang, Simha Sethumadhavan, and Salvatore Stolfo. 2015. Heisenbyte: Thwarting Memory Disclosure Attacks using Destructive Code Reads ACM SIGSAC Conference on Computer and Communications Security (CCS).Google ScholarDigital Library
- The WebKit team. 2013. SunSpider 1.0.2. https://www.webkit.org/perf/sunspider/sunspider.html. (2013).Google Scholar
- Theori 2016. Chakra JIT CFG Bypass. http://theori.io/research/chakra-jit-cfg-bypass. (2016).Google Scholar
- Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, Úlfar Erlingsson, Luis Lozano, and Geoff Pike. 2014. Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM 23rd USENIX Security Symposium (USENIX Sec).Google Scholar
- Jan Werner, George Baltas, Rob Dallara, Nathan Otterness, Kevin Z. Snow, Fabian Monrose, and Michalis Polychronakis 2016. No-Execute-After-Read: Preventing Code Disclosure in Commodity Software 11th ACM Symposium on Information, Computer and Communications Security (ASIACCS). endthebibliographyGoogle ScholarDigital Library
Index Terms
JITGuard: Hardening Just-in-time Compilers with SGX
Recommendations
SGXIO: Generic Trusted I/O Path for Intel SGX
CODASPY '17: Proceedings of the Seventh ACM on Conference on Data and Application Security and PrivacyApplication security traditionally strongly relies upon security of the underlying operating system. However, operating systems often fall victim to software attacks, compromising security of applications as well. To overcome this dependency, Intel SGX ...
STACCO: Differentially Analyzing Side-Channel Traces for Detecting SSL/TLS Vulnerabilities in Secure Enclaves
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications SecurityIntel Software Guard Extension (SGX) offers software applications a shielded execution environment, dubbed enclave, to protect their confidentiality and integrity from malicious operating systems. As processors with this extended feature become ...
SnakeGX: A Sneaky Attack Against SGX Enclaves
Applied Cryptography and Network SecurityAbstractIntel Software Guard eXtension (SGX) is a technology to create enclaves (i.e., trusted memory regions) hardware isolated from a compromised operating system. Recently, researchers showed that unprivileged adversaries can mount code-reuse attacks ...
Comments