Your browser does not support JavaScript!
http://iet.metastore.ingenta.com
1887

access icon free JITSafe: a framework against Just-in-time spraying attacks

  • Author(s): Ping Chen 1, 2 ; Rui Wu 1, 2 ; Bing Mao 1, 2
    • View affiliations
    • Affiliations: 1: State Key Laboratory for Novel Software Technology, Nanjing University, Nanjing, Jiangsu, People's Republic of China;
      2: Department of Computer Science and Technology, Nanjing University, Nanjing, People's Republic of China
  • Source: Volume 7, Issue 4, December 2013, p. 283 – 292
    DOI:  10.1049/iet-ifs.2012.0142 , Print ISSN 1751-8709, Online ISSN 1751-8717
© The Institution of Engineering and Technology
Received 22/04/2012, Accepted 29/01/2013, Revised 26/01/2013, Published

A new code-reuse attack, named Just-in-time (JIT) spraying attack, leverages the predictable generated JIT compiled code to launch an attack. It can circumvent the defenses such as data execution prevention and address space layout randomisation built-in in the modern operation system, which were thought the insurmountable barrier so that the attackers cannot construct the traditional code injection attacks. In this study, the authors describe JITSafe, a framework that can be applied to existing JIT-based virtual machines (VMs), in the purpose of preventing the attacker from reusing the JIT compiled code to construct the attack. The authors framework narrows the time window of the JIT compiled code in the executable pages, eliminates the immediate value and obfuscates the JIT compiled code. They demonstrate the effectiveness of JITSafe that it can successfully prevent existing JIT spraying attacks with low performance overhead.

Inspec keywords: operating systems (computers); invasive software

Other keywords: address space layout randomisation; code-reuse attack; JIT compiled code time window; operation system; performance overhead; code injection attacks; JITSafe; just-in-time spraying attacks; JIT-based VMs; data execution prevention

Subjects: Data security; Operating systems

References

    1. 1)
      • 24. Sotirov, A.: ‘Heap feng shui in javascript,’ 2007. Available at: https://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf.
    2. 2)
      • 17. SAP GUI 7.10 WebViewer3D ActiveX - JIT-Spray Exploit, Digital Security Research Group, 2010. Available at: http://www.dsecrg.com/files/exploits/SAP-Logon7-System.zip.
    3. 3)
      • 13. Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., Xie, L.: ‘Drop: detecting return-oriented programming malicious code’. Proc. Fifth Int. Conf. on Information Systems Security (ICISS), Berlin, Heidelberg, Springer-Verlag, 2009, pp. 163177.
    4. 4)
      • 5. Address Space Layout Randomization in Windows Vista, Microsoft Corporation, 2006. Available at: http://www.blogs.msdn.com/b/michaelhoward/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx.
    5. 5)
      • 6. Bhatkar, E., Duvarney, D.C., Sekar, R.: ‘Address obfuscation: an efficient approach to combat a broad range of memory error exploits’. Proc. 12th USENIX Security Symp., 2003, pp. 105120.
    6. 6)
      • 21. Cowan, C., Pu, C., Maier, D., et al: ‘Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks’. Proc. Seventh Conf. on USENIX Security Symp. (USENIX), Berkeley, CA, USA, USENIX Association, 1998, pp. 6378.
    7. 7)
      • 1. Data Execution Prevention (DEP) in Windows XP Service Pack 2, Microsoft Corporation, 2006. Available at: http://www.support.microsoft.com/kb/875352.
    8. 8)
      • 19. Sintsov, A.: ‘Jit spraying attack on safari,’ 2010. Available at: http://www.exploit-db.com/exploits/12614/.
    9. 9)
      • 29. Bania, P.: ‘Jit spraying and mitigations,’ CoRRComputing Research Repository (CoRR) abs/1009.1038, 2010. Available at: http://www.piotrbania.com/all/articles/pbania-jit-mitigations2010.pdf.
    10. 10)
      • 28. Ratanaworabhan, P., Livshits, B., Zorn, B.: ‘Nozzle: a defense against heap-spraying code injection attacks’. Proc. 18th Conf. on USENIX Security Symp. (SSYM), Berkeley, CA, USA, USENIX Association, 2009, pp. 169186.
    11. 11)
      • 27. Libemu: ‘X86 shellcode detection and emulation,’ 2010. Available at: http://www.libemu.mwcollect.org/.
    12. 12)
      • 26. Egele, M., Wurzinger, P., Kruegel, C., Kirda, E.: ‘Defending browsers against drive-by downloads: mitigating heap-spraying code injection attacks’. Proc. Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), 2009, pp. 88106.
    13. 13)
      • 2. The Pax project, Pax Team, 2004. Available at: http://www.pax.grsecurity.net/.
    14. 14)
      • 31. Gadaleta, F., Younan, Y., Joosen, W.: ‘Bubble: a javascript engine level countermeasure against heap-spraying attacks’, in Massacci, F., Wallach, D., Zannone, N. (Ed.): ‘Engineering Secure Software and Systems’ (Springer-Berlin, Heidelberg, 2010), vol. 5965, pp. 117.
    15. 15)
      • 15. V8 JavaScript Engine, Google Inc., 2010. Available at: http://www.code.google.com/apis/v8/intro.html.
    16. 16)
      • 14. The WebKit Open Source Project, Webkit, 2010. Available at: http://www.webkit.org/.
    17. 17)
      • 7. Blazakis, D.: ‘Interpreter exploitation’. Proc. Fourth USENIX Conf. Offensive Technologies (WOOT), Berkeley, CA, USA, USENIX Association, 2010, pp. 19.
    18. 18)
      • 3. Designer, S.: ‘Getting around non-executable stack (and fix),’ 1997. Available at: http://www.seclists.org/bugtraq/1997/Aug0063.html.
    19. 19)
      • 10. Liebowitz, M.: ‘it spraying’: Hackers find new ways to hi-jack applications,’ 2011. Available at: http://www.securitynewsdaily.com/921-jit-spraying-hackers-find-new-ways-to-hijack-documents.html.
    20. 20)
      • 30. Tao, W., Tielei, W., Lei, D., Jing, L.: ‘Secure dynamic code generation against spraying’. Proc. 17th ACM Conf. on Computer and Communications Security (CCS) poster, New York, NY, USA, ACM, 2010, pp. 738740.
    21. 21)
      • 20. Chen, P., Xing, X., Mao, B., Xie, L., Shen, X., Yin, X.: ‘Automatic construction of jump – oriented programming shellcode (on the x86)’. Proc. Sixth ACM Symp. on Information, Computer and Communications Security (ASIACCS), New York, NY, USA, ACM, 2011, pp. 2029.
    22. 22)
      • 22. Etoh, J.: ‘Gcc extension for protecting applications from stack-smashing attacks,’ June 2000. Available at: http://www.trl.ibm.com/projects/security/ssp/.
    23. 23)
      • 32. De Groef, W., Nikiforakis, N., Younan, Y., Piessens, F.: ‘Jitsec: just-in-time security for code injection attacks’. Benelux Workshop on Information and System Security (WISSEC 2010), November 2010. Available at: https://www.lirias.kuleuven.be/handle/123456789/286573.
    24. 24)
      • 11. Wikipedia: ‘Heap spraying,’ 2010. Available at: http://www.en.wikipedia.org/wiki/Heap_spraying.
    25. 25)
      • 8. Sintsov, A.: ‘Writing jit-spray shellcode for fun and profit,’ Digital Security Research Group, Tech. Rep., 2010. Available at: http://www.dsecrg.com/files/pub/pdf/Writing%20JIT-Spray%20Shellcode%20for%20fun%20and%20profit.pdf.
    26. 26)
      • 25. Ding, Y., Wei, T., Wang, T., Liang, Z., Zou, W.: ‘Heap taichi: exploiting memory allocation granularity in heap-spraying attacks’. Proc. 26th Annual Computer Security Applications Conf. (ACSAC), New York, NY, USA, ACM, 2010, pp. 327336.
    27. 27)
      • 23. Wu, L.-A., Lidar, D.: ‘Quantum malware’, Quantum Inf. Process., 2006, 5, (2), pp. 6981 (doi: 10.1007/s11128-006-0014-5).
    28. 28)
      • 9. Sintsov: ‘Jit-sprary attacks & advanced shellcode,’ Digital Security Research Group, Technical Report, 2010. Available at: http://www.dsecrg.com/files/pub/pdf/HITB%20-%20JIT-Spray%20Attacks%20and%20Advanced%20Shellcode.pdf.
    29. 29)
      • 4. Shacham, H.: ‘The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)’. Proc. 14th ACM Conf. Computer and Communications Security (CCS), New York, NY, USA, ACM, 2007, pp. 552561.
    30. 30)
      • 16. Google Chrome 0.2.149.27 ‘SaveAs’ Function Buffer Overflow Vulnerability, Security Vulnerability Research Team, 2008. Available at: http://www.seclists.org/bugtraq/2008/Sep/70.
    31. 31)
      • 18. Oracle Document Capture (EasyMail Objects EMSMTP.DLL 6.0.1) ActiveX Control BOF – JIT-Spray Exploit, Digital Security Research Group, 2010. Available at: http://www.dsecrg.com/files/exploits/QuikSoft-reverse.zip.
    32. 32)
      • 12. Roemer, R., Buchanan, E., Shacham, H., Savage, S.: ‘Return-oriented programming: Systems, languages, and applications’, ACM Trans. Inf. Syst. Secur. (TISSEC), 2012, 15, (1), pp. 134. Available at: http://www.cseweb.ucsd.edu/~hovav/papers/rbss12.html (doi: 10.1145/2133375.2133377).
http://iet.metastore.ingenta.com/content/journals/10.1049/iet-ifs.2012.0142
Loading

Related content

content/journals/10.1049/iet-ifs.2012.0142
pub_keyword,iet_inspecKeyword,pub_concept
6
6
Loading
Print this page
This is a required field
Please enter a valid email address