Research On Implicit Constant Defense In Just-in-time Compilers

Research in recent years has found that browsers,which are commonly used in people's lives,are the most vulnerable.Through the just-in-time compilation mechanism widely adopted by browsers,attackers can make use of implicit constants in JS code to build usable gadgets in the code cache,and achieve the purpose of the attack through code reuse technology.This paper proposes a joint defense strategy based on register randomization and NOP instruction insertion to defend against implicit constant attacks.The specific research contents of this paper are as follows:(1)analyze the formation principle of implicit constant attack,using conditions and attack surfaces.In real-time compiler generation of dynamic code,implicit constants exist in conditional or direct call instructions in the form of code Pointers and are generated only after the code in the entire conditional code block or the function call code block has been generated.The attacker adjusts the size of the statement block so that the expected gadget is available after compilation.(2)defense strategy based on register randomization and NOP instruction insertion.This paper proposes a joint defense strategy based on the register randomization scheme and the insertion of NOP instruction.Specifically,during the generation of code cache,register randomization is implemented to disturb the generation of implicit constants,so that the attacker cannot find the pre-inserted gadget,and then a certain number of NOP instructions are inserted into the code cache to further disturb the address of the gadget,thus increasing the attacker's attack cost.(3)design an implicit constant attack using code reuse to verify the effectiveness of the defense scheme.This paper simulates the attacker's attack idea and designs an attack experiment.By forcing vulnerable browsers to load Java Script code,injecting the gadgets needed for the attack,using code reuse techniques to bypass DEP and ASLR,and finally calling the Mprotect function to make the data page host shellcode executable attack files.Experiments on Firefox show that the proposed defense scheme can effectively mitigate the implicit constant injection attack and introduce negligible performance overhead.