http://iet.metastore.ingenta.com
1887

JITSafe: a framework against Just-in-time spraying attacks

JITSafe: a framework against Just-in-time spraying attacks

For access to this article, please select a purchase option:

Buy article PDF
£12.50
(plus tax if applicable)
Buy Knowledge Pack
10 articles for £75.00
(plus taxes if applicable)

IET members benefit from discounts to all IET publications and free access to E&T Magazine. If you are an IET member, log in to your account and the discounts will automatically be applied.

Learn more about IET membership 

Recommend to library

You must fill out fields marked with: *

Librarian details
Name:*
Email:*
Your details
Name:*
Email:*
Department:*
Why are you recommending this title?
Select reason:
 
 
 
 
 
IET Information Security — Recommend this title to your library

Thank you

Your recommendation has been sent to your librarian.

A new code-reuse attack, named Just-in-time (JIT) spraying attack, leverages the predictable generated JIT compiled code to launch an attack. It can circumvent the defenses such as data execution prevention and address space layout randomisation built-in in the modern operation system, which were thought the insurmountable barrier so that the attackers cannot construct the traditional code injection attacks. In this study, the authors describe JITSafe, a framework that can be applied to existing JIT-based virtual machines (VMs), in the purpose of preventing the attacker from reusing the JIT compiled code to construct the attack. The authors framework narrows the time window of the JIT compiled code in the executable pages, eliminates the immediate value and obfuscates the JIT compiled code. They demonstrate the effectiveness of JITSafe that it can successfully prevent existing JIT spraying attacks with low performance overhead.

References

    1. 1)
      • 1. Data Execution Prevention (DEP) in Windows XP Service Pack 2, Microsoft Corporation, 2006. Available at: http://www.support.microsoft.com/kb/875352.
        .
    2. 2)
      • 2. The Pax project, Pax Team, 2004. Available at: http://www.pax.grsecurity.net/.
        .
    3. 3)
      • S. Designer . (1997)
        3. Designer, S.: ‘Getting around non-executable stack (and fix),’ 1997. Available at: http://www.seclists.org/bugtraq/1997/Aug0063.html.
        .
    4. 4)
      • H. Shacham .
        4. Shacham, H.: ‘The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)’. Proc. 14th ACM Conf. Computer and Communications Security (CCS), New York, NY, USA, ACM, 2007, pp. 552561.
        . Proc. 14th ACM Conf. Computer and Communications Security (CCS) , 552 - 561
    5. 5)
      • 5. Address Space Layout Randomization in Windows Vista, Microsoft Corporation, 2006. Available at: http://www.blogs.msdn.com/b/michaelhoward/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx.
        .
    6. 6)
      • E. Bhatkar , D.C. Duvarney , R. Sekar .
        6. Bhatkar, E., Duvarney, D.C., Sekar, R.: ‘Address obfuscation: an efficient approach to combat a broad range of memory error exploits’. Proc. 12th USENIX Security Symp., 2003, pp. 105120.
        . Proc. 12th USENIX Security Symp , 105 - 120
    7. 7)
      • D. Blazakis .
        7. Blazakis, D.: ‘Interpreter exploitation’. Proc. Fourth USENIX Conf. Offensive Technologies (WOOT), Berkeley, CA, USA, USENIX Association, 2010, pp. 19.
        . Proc. Fourth USENIX Conf. Offensive Technologies (WOOT) , 1 - 9
    8. 8)
      • A. Sintsov . (2010)
        8. Sintsov, A.: ‘Writing jit-spray shellcode for fun and profit,’ Digital Security Research Group, Tech. Rep., 2010. Available at: http://www.dsecrg.com/files/pub/pdf/Writing%20JIT-Spray%20Shellcode%20for%20fun%20and%20profit.pdf.
        .
    9. 9)
      • (2010)
        9. Sintsov: ‘Jit-sprary attacks & advanced shellcode,’ Digital Security Research Group, Technical Report, 2010. Available at: http://www.dsecrg.com/files/pub/pdf/HITB%20-%20JIT-Spray%20Attacks%20and%20Advanced%20Shellcode.pdf.
        .
    10. 10)
      • M. Liebowitz . (2011)
        10. Liebowitz, M.: ‘it spraying’: Hackers find new ways to hi-jack applications,’ 2011. Available at: http://www.securitynewsdaily.com/921-jit-spraying-hackers-find-new-ways-to-hijack-documents.html.
        .
    11. 11)
      • (2010)
        11. Wikipedia: ‘Heap spraying,’ 2010. Available at: http://www.en.wikipedia.org/wiki/Heap_spraying.
        .
    12. 12)
      • R. Roemer , E. Buchanan , H. Shacham , S. Savage .
        12. Roemer, R., Buchanan, E., Shacham, H., Savage, S.: ‘Return-oriented programming: Systems, languages, and applications’, ACM Trans. Inf. Syst. Secur. (TISSEC), 2012, 15, (1), pp. 134. Available at: http://www.cseweb.ucsd.edu/~hovav/papers/rbss12.html (doi: 10.1145/2133375.2133377).
        . ACM Trans. Inf. Syst. Secur. (TISSEC) , 1 , 1 - 34
    13. 13)
      • P. Chen , H. Xiao , X. Shen , X. Yin , B. Mao , L. Xie .
        13. Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., Xie, L.: ‘Drop: detecting return-oriented programming malicious code’. Proc. Fifth Int. Conf. on Information Systems Security (ICISS), Berlin, Heidelberg, Springer-Verlag, 2009, pp. 163177.
        . Proc. Fifth Int. Conf. on Information Systems Security (ICISS) , 163 - 177
    14. 14)
      • 14. The WebKit Open Source Project, Webkit, 2010. Available at: http://www.webkit.org/.
        .
    15. 15)
      • 15. V8 JavaScript Engine, Google Inc., 2010. Available at: http://www.code.google.com/apis/v8/intro.html.
        .
    16. 16)
      • 16. Google Chrome 0.2.149.27 ‘SaveAs’ Function Buffer Overflow Vulnerability, Security Vulnerability Research Team, 2008. Available at: http://www.seclists.org/bugtraq/2008/Sep/70.
        .
    17. 17)
      • 17. SAP GUI 7.10 WebViewer3D ActiveX - JIT-Spray Exploit, Digital Security Research Group, 2010. Available at: http://www.dsecrg.com/files/exploits/SAP-Logon7-System.zip.
        .
    18. 18)
      • 18. Oracle Document Capture (EasyMail Objects EMSMTP.DLL 6.0.1) ActiveX Control BOF – JIT-Spray Exploit, Digital Security Research Group, 2010. Available at: http://www.dsecrg.com/files/exploits/QuikSoft-reverse.zip.
        .
    19. 19)
      • A. Sintsov . (2010)
        19. Sintsov, A.: ‘Jit spraying attack on safari,’ 2010. Available at: http://www.exploit-db.com/exploits/12614/.
        .
    20. 20)
      • P. Chen , X. Xing , B. Mao , L. Xie , X. Shen , X. Yin .
        20. Chen, P., Xing, X., Mao, B., Xie, L., Shen, X., Yin, X.: ‘Automatic construction of jump – oriented programming shellcode (on the x86)’. Proc. Sixth ACM Symp. on Information, Computer and Communications Security (ASIACCS), New York, NY, USA, ACM, 2011, pp. 2029.
        . Proc. Sixth ACM Symp. on Information, Computer and Communications Security (ASIACCS) , 20 - 29
    21. 21)
      • C. Cowan , C. Pu , D. Maier .
        21. Cowan, C., Pu, C., Maier, D., et al: ‘Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks’. Proc. Seventh Conf. on USENIX Security Symp. (USENIX), Berkeley, CA, USA, USENIX Association, 1998, pp. 6378.
        . Proc. Seventh Conf. on USENIX Security Symp. (USENIX) , 63 - 78
    22. 22)
      • J. Etoh .
        22. Etoh, J.: ‘Gcc extension for protecting applications from stack-smashing attacks,’ June 2000. Available at: http://www.trl.ibm.com/projects/security/ssp/.
        .
    23. 23)
      • L.-A. Wu , D. Lidar .
        23. Wu, L.-A., Lidar, D.: ‘Quantum malware’, Quantum Inf. Process., 2006, 5, (2), pp. 6981 (doi: 10.1007/s11128-006-0014-5).
        . Quantum Inf. Process. , 2 , 69 - 81
    24. 24)
      • A. Sotirov . (2007)
        24. Sotirov, A.: ‘Heap feng shui in javascript,’ 2007. Available at: https://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf.
        .
    25. 25)
      • Y. Ding , T. Wei , T. Wang , Z. Liang , W. Zou .
        25. Ding, Y., Wei, T., Wang, T., Liang, Z., Zou, W.: ‘Heap taichi: exploiting memory allocation granularity in heap-spraying attacks’. Proc. 26th Annual Computer Security Applications Conf. (ACSAC), New York, NY, USA, ACM, 2010, pp. 327336.
        . Proc. 26th Annual Computer Security Applications Conf. (ACSAC) , 327 - 336
    26. 26)
      • M. Egele , P. Wurzinger , C. Kruegel , E. Kirda .
        26. Egele, M., Wurzinger, P., Kruegel, C., Kirda, E.: ‘Defending browsers against drive-by downloads: mitigating heap-spraying code injection attacks’. Proc. Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), 2009, pp. 88106.
        . Proc. Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA) , 88 - 106
    27. 27)
      • 27. Libemu: ‘X86 shellcode detection and emulation,’ 2010. Available at: http://www.libemu.mwcollect.org/.
        .
    28. 28)
      • P. Ratanaworabhan , B. Livshits , B. Zorn .
        28. Ratanaworabhan, P., Livshits, B., Zorn, B.: ‘Nozzle: a defense against heap-spraying code injection attacks’. Proc. 18th Conf. on USENIX Security Symp. (SSYM), Berkeley, CA, USA, USENIX Association, 2009, pp. 169186.
        . Proc. 18th Conf. on USENIX Security Symp. (SSYM) , 169 - 186
    29. 29)
      • P. Bania .
        29. Bania, P.: ‘Jit spraying and mitigations,’ CoRRComputing Research Repository (CoRR) abs/1009.1038, 2010. Available at: http://www.piotrbania.com/all/articles/pbania-jit-mitigations2010.pdf.
        .
    30. 30)
      • W. Tao , W. Tielei , D. Lei , L. Jing .
        30. Tao, W., Tielei, W., Lei, D., Jing, L.: ‘Secure dynamic code generation against spraying’. Proc. 17th ACM Conf. on Computer and Communications Security (CCS) poster, New York, NY, USA, ACM, 2010, pp. 738740.
        . Proc. 17th ACM Conf. on Computer and Communications Security (CCS) poster , 738 - 740
    31. 31)
      • F. Gadaleta , Y. Younan , W. Joosen . (2010)
        31. Gadaleta, F., Younan, Y., Joosen, W.: ‘Bubble: a javascript engine level countermeasure against heap-spraying attacks’, in Massacci, F., Wallach, D., Zannone, N. (Ed.): ‘Engineering Secure Software and Systems’ (Springer-Berlin, Heidelberg, 2010), vol. 5965, pp. 117.
        .
    32. 32)
      • W. De Groef , N. Nikiforakis , Y. Younan , F. Piessens .
        32. De Groef, W., Nikiforakis, N., Younan, Y., Piessens, F.: ‘Jitsec: just-in-time security for code injection attacks’. Benelux Workshop on Information and System Security (WISSEC 2010), November 2010. Available at: https://www.lirias.kuleuven.be/handle/123456789/286573.
        . Benelux Workshop on Information and System Security (WISSEC 2010)
http://iet.metastore.ingenta.com/content/journals/10.1049/iet-ifs.2012.0142
Loading

Related content

content/journals/10.1049/iet-ifs.2012.0142
pub_keyword,iet_inspecKeyword,pub_concept
6
6
Loading
This is a required field
Please enter a valid email address