Dachshund - NDSS Symposium · Dachshund Digging for and Securing Against (Non-)Blinded Constants in JIT Code NDSS Symposium 2017 Giorgi Maisuradze, Michael Backes, Chris;an Rossow

Dachshund DiggingforandSecuringAgainst(Non-)Blinded

ConstantsinJITCode

NDSSSymposium2017

GiorgiMaisuradze,MichaelBackes,Chris;anRossowCISPA,SaarlandUniversity,Germany

Overview

• CodereuseaGacks

• CodereusewithJITcode

• Constant(non-)blindinginbrowsers

• Defendingnonblindedcases

2

Na;veCode

JavaScript

28-Feb-17 GiorgiMaisuradze,NDSSSymposium2017

Revisi1ng Code Reuse

Code Reuse A7acks

•  Iden;fygadgets/func;ons• Puttheiraddressesonthestack• Usereturninstruc;onstoexecutethem

STACK

SavedRIPSavedRBP

Buffer[256]

args...·········

.text@4048000

libc@f7e0a000

·········

&G1SavedRBP

&cmd&G2

“/bin/bash”

············

intsystem(char*)

poprdi;ret

4GiorgiMaisuradze,NDSSSymposium201728-Feb-17

Code Reuse Defenses

STACK

SavedRIPSavedRBP

Buffer[256]

arg0arg1······

&G1SavedRBP

&cmd&G2

“/bin/bash”

.text@7093000

libc@ff78a000

·········

············

intsystem(char*)

poprdi;ret??????

??????

•  Iden;fygadgets/func;ons• Puttheiraddressesonthestack• Usereturninstruc;onstoexecutethem

Defense:• Randomizememorysegments(ASLR)• Randomizecodepages


Code Injec1on A7acks

• Useconstantvaluestocreatecontrolledgadgets

•  JITSpraying[WOOT’10]

•  SpraycodepageswithNOP-sledfollowedbyashellcode

m=0x90909090; moveax,0x90909090mov[rbp+0x20],eaxJIT

x=0x3c909090^0x3c909090^...0x3c909090;

moveax,0x3c909090xoreax,0x3c909090...xoreax,0x3c909090

JIT

nop,nop,nop,cmpal,0x35nop,nop,nop,cmpal,0x35...nop,nop,nop,cmpal,0x35


Browser Defenses

• ConstantBlinding(Edge,Chrome)•  RandomizeimmediatevaluesbyXORingthemwitharandomkey•  AddXORinstruc;ontorestoreoriginalvalue•  Blindlargeconstants(>2B)

• Weaknesses•  Smallconstantsremain[NDSS’15]•  Displacementfields[Usenix’16]

moveax,0x3c909090 moveax,0x2511663fxoreax,0x1981f6afCB


Constant Blinding Completeness

Dachshund

Controller

JSFuzzer JITInspector

C=0x123456 C=0x123456


FN=function(){vara=-1;a^=0x123456;};

eval(“vara=-1;a^=0x123456;”)

OPT

JIT...movrax,0xff..ffxorrax,0x123456...

FOUND0x123456

at0x1A17FE06085

Found Constants

JavaScriptStatementsContainingNonblindedConstants:• Chrome:

•  Argumentstobuilt-infunc;ons,ternaryoperators,returnstatements,bitwiseopera;ons,...

•  Edge:•  ArgumentstoMathlibraryfunc;ons,casesinswitchstatement,arrayindexes,globalvariableaccesses,...

v1=v2^0x12345678;

switch(j){case0x12345678:m++;}

functionfn(){returnMath.trunc(0x12345678);}


arr[i]=0x12345678;

v1=b?0x12345678:0x9abcdef0;

return0x12345678;

functionfn(){console.log(0x12345678);}

global=0x12345678;

Origins of Constants

Chrome:• Nonblindedvaluesarecomingfromtheop;mizingcompiler:•  condi;onal?:,switch,arithme;c,arrayindexing,globals,...

Edge:•  Immediatevaluecaching(bothinbaselineandop;mizer)•  Nonblindedvaluesarestoredinaspareregister

m=i^0x12345678;movrax,[rbp+0x20]xorrax,0x12345678

switch(j){case0x12345678:m++;}

movrdx,[rbp+0x20]cmpedx,0x12345678jnzXXX

OPT

OPT

functionfn(){returnMath.trunc(0x12345678);}

movrsi,0x12345678...movr9,rsicallr12OPT

JIT


Genera1ng Gadgets

RequiredgadgetsforseqngparametersforVirtualProtect:• GoogleChrome50:

•  Createthefunc;onfn•  Triggerop;mizingcompiler(>1000calls)

• MicrosorEdge25:•  Createfunc;onsr8,r9andracdx•  Triggerbaselinecompila;onforeachofthem(>50calls)

popr8;ret4158c3popr9;ret4159c3poprcx;ret59c3poprdx;ret5ac3poprax;ret58c3

functionfn(){glob[0]=0xc35841;glob[1]=0xc35941;glob[2]=-0x3ca7a5a7;}

mov[rbx+0x1b],0x00c35841mov[rbx+0x23],0x00c35941mov[rbx+0x2b],0xc3585a59

functionr8(){Math.trunc(0xc35841);}functionr9(){Math.trunc(0xc35941);}functionracdx(){Math.trunc(-0x3ca7a5a7);}

movrsi,0x00c35841movrsi,0x00c35941movrsi,0xc3585a59


Blinding the Constants

Rewri1ng JavaScript

• Replaceallintegerconstantswithglobalobjects

• Replaceanyotherliteraltypethatcanbeinterpretedasanumber

14

functionfn(){vari=0x1234;}

window._c1234=parseInt(“0x1234”)functionfn(){vari=window._c1234;}

functionfn(){i=“1234”&567;}

functionfn(){i=(“1234”).toString()&567;}


Rewri1ng JavaScript

Browser

JavaScriptrewriterisimplementedasaproxyservicebetweenthebrowserandawebserver• RewriteJavaScriptinallpossibleplaces• Hookdynamicfunc;onstorewritenewcodeatrun;me• RewriteJSindynamicallyaddedDOMnodes

Server

JSRewriterProxy

eval(“/*JS*/”)Function(“/*JS*/”)setInterval(“/*JS*/”)...

Hook

<scriptsrc=“lib.js”/>

<script>/*JS*/</script>

<imgonclick=“/*JS*/”/> Rewrite

e.appendChild(...)e.innerHTML=...

Mon

itor


Evalua1on

Rewri;nggotridofallintegerconstantsfoundbyDachshund 145

101

6351

0

20

40

60

80

100

120

140

160

AngularJS Jquery

REWRITETIM

E(M

S)

Rewri/ngTime

Uncompressed Minified

2649524245

2082018528

0

5000

10000

15000

20000

25000

30000

Chrome Edge

AVER

AGEOCT

ANESCORE

Run/me

Original Proxy

-23% -24%


Summary

•  JITenginesarevulnerabletocodeinjec;onaGacks

• Modernbrowsersdonotsufficientlydefendagainstthem

• Rewri;ngJavaScriptcangetridofcodeinjec;onviaimmediate

values

Thankyou!28-Feb-17 GiorgiMaisuradze,NDSSSymposium2017 17

28-Feb-17 GiorgiMaisuradze,NDSSSymposium2017 18

Documents

Dachshund - NDSS Symposium · Dachshund Digging for and Securing Against (Non-)Blinded Constants in JIT Code NDSS Symposium 2017 Giorgi Maisuradze, Michael Backes, Chris;an Rossow