(2017) Dachshund: Digging for and Securing (Non-)Blinded Constants in JIT Code.
Abstract
Modern browsers such as Chrome and Edge deploy constant blinding to remove attacker-controlled constants from the JIT-compiled code. Without such a defense, attackers can encode arbitrary shellcode in constants that get compiled to executable code. In this paper, we review the security and completeness of current constant blinding implementations. We develop DACHSHUND, a fuzzing-driven framework to find user-specified constants in JIT-compiled code. DACHSHUND reveals several cases in which JIT compilers of modern browsers fail to blind constants, ranging from constants passed as function parameters to blinded constants that second-stage code optimizers revert to a non-protected form. To tackle this problem, we then propose a JavaScript rewriting mechanism that removes all constants from JavaScript code. We prototype this cross- browser methodology as part of a Web proxy and show that it can successfully remove all constants from JavaScript code.
| Item Type: | Conference or Workshop Item (A Paper) (Paper) |
|---|---|
| Additional Information: | pub_id: 1126 Bibtex: MaBaRo_16:dachshund URL date: None |
| Divisions: | Michael Backes (InfSec) Christian Rossow (System Security Group, SysSec) |
| Conference: | NDSS Network and Distributed System Security Symposium |
| Depositing User: | Sebastian Weisgerber |
| Date Deposited: | 26 Jul 2017 10:29 |
| Last Modified: | 18 Jul 2019 12:10 |
| Primary Research Area: | NRA3: Threat Detection and Defenses |
| URI: | https://publications.cispa.saarland/id/eprint/294 |
Actions
Actions (login required)
 |
View Item |