PAPER: JIT spraying and mitigations

Posted On // 3 comments
ABSTRACT:
With the discovery of new exploit techniques, novel protection mechanisms are needed as well. Mitigations like DEP (Data Execution Prevention) or ASLR (Address Space Layout Randomization) created a significantly more difficult environment for exploitation. Attackers, however, have recently researched new exploitation methods which are capable of bypassing the operating system’s memory mitigations. One of the newest and most popular exploitation techniques to bypass both of the aforementioned security protections is JIT memory spraying, introduced by Dion Blazakis. In this article we will present a short overview of the JIT spraying technique and also novel mitigation methods against this innovative class of attacks. An anti-JIT spraying library was created as part of our shellcode execution prevention system.

DOWNLOAD HERE

MIRROR:
LOCAL MIRROR

PS. You can catch me on twitter (http://twitter.com/PiotrBania) -- however i'm mostly tweeting only about midget car racing.

3 komentarze:

Gynvael Coldwind said...

Hey,

Thanks for the paper, it's an interesting read.
At first I was surprised that the detection method purposed by doesn't give any false positives, but than again, it makes sense after you rethink it :)

So, I guess the reply from the exploit community will be to scramble the JIT generated code a little more. E.g. you've pointed out that XOR is probably the most usable here, and they make start using some different instructions.
That will interesting :)

Take care!

Piotr Bania said...

>Thanks for the paper, it's an interesting read.

No problem, i'm glad you liked it although i think the paper with mitigations for ROP is far better :-)

>At first I was surprised that the detection method purposed by doesn't
>give any false positives, but than again, it makes sense after you
>rethink it :)

Yeah, especially if you consider why a valid as-script should be using block of XORs :-)

>So, I guess the reply from the exploit community will be to scramble
>the JIT generated code a little more. E.g. you've pointed out that XOR
>is probably the most usable here, and they make start using some
>different instructions.

Well it depends i guess. My anti-techniques are directed mostly to cover Dion's research. I think it's Adobe duty to implement other (better) mitigations at the source level - Microsoft has already protected the JITer in IE9. However it doesn't mean i don't have any other techniques up my sleeve :-]

cheers

Gynvael Coldwind said...

--quote--
No problem, i'm glad you liked it although i think the paper with mitigations for ROP is far better :-)
--end of quote--
Ah, right, it's on my to-read list :)
ROP is one of my favorite techniques, so I'll read it for sure :)


--quote--
Well it depends i guess. My anti-techniques are directed mostly to cover Dion's research. I think it's Adobe duty to implement other (better) mitigations at the source level - Microsoft has already protected the JITer in IE9. However it doesn't mean i don't have any other techniques up my sleeve :-]
--end of quote--
Yeah, this will get really interesting in the near future, since like you say, every party has something up their sleeve :)