Research On The Defense Of Implicit Constant In Just-in-time Compilation

Just-in-time compiler compiles input programs such as JavaScript programs(referred to as js programs)into local executable code,which provides the convenience for attackers.An attacker could construct an attack using the code snippet(called a gadget)in a controlled constant in the js program.Method like constant blinding can make the explicit constants in the js program no longer appear in the code cache to solve such problems.Recent studies have suggested that the attacker could construct the attack through the injection of implicit constants which contain the required gadgets,so that make constant blinding and other explicit constant defense methods invalid.To this end,we research for a method to defense against implicit constant attack in this thesis.By analyzing the principle and forming conditions of this kind of attack,we adopt the method of transforming the implicit constants in the code cache to prevent the attackers from miusing the implicit constants.The main work of this thesis is as follows:(1)We analyzed the principle and forming condition of implicit constant attack.In the process of dynamic code generating,the values of implicit constants can be calculated after all the instructions in a block are generated.Therefore,when generating instructions containing implicit constants,the constant blinding method can't protect implicit constants.The attacker could exploit this flaw,through a large number of tests to understand the compilation rules of just-in-time compiler,and then carefully control the block size in the script code,so that the needed implicit constants encoded with gadgets would be got after the script code was compiled and then further implement ROP attacks.(2)We designed a defense scheme that combined register randomization and code rewriting to eliminate the implicit constants which can be misused by attackers in native code.The purpose of the register randomization was to transform the implicit constant that is carefully crafted and injected by the attacker,making it changeable and not easily controlled by the attacker.When the instruction was dynamically generated,the size of the final generated intruction was changed by randomly permutating the extended registers and other general registers,and the implicit constant was changed indirectly.In addition,some of these implicit constants were hidden in the index table by means of binary rewritting before dynamically generated code runs because they may still be exploited.Register randomization could eliminate most of the harmful implicit constants without affecting performance overhead while code rewriting could further conceal the implicit constants that can be exploited.(3)We implemented a prototype system in the SpiderMonkey based on the scheme above,and the feasibility of the scheme was tested and verified by using the test file sets carried by Firefox.Furthermore,we tested the performance overhead of the prototype system with Octane,Sunspider and other benchmarks.Experimental results show that the scheme we designed could effectively prevent the attackers misusing the implicit constants with small space and time overhead.