Bulletin of Networking, Computing, Systems, and Software

Modern browsers have just-in-time (JIT) compilers that compile JavaScript programs into native binary code on the fly. Since recent JIT compilers put JavaScript data into non-executable memory regions, simply putting shell code as JavaScript data does not work. To overcome this protection, recent attacks exploit constants in JavaScript programs that are complied into instructions placed in code regions, and use them as small pieces of code, called gadgets, to chain them by return-oriented programming (ROP). To counter this attack, recent browsers introduce constant blinding that encrypts JavaScript constants with a secret key and decrypts them at run time, preventing attackers from inserting arbitrary gadgets. Unfortunately, current browsers (including Firefox, Google Chrome, and Microsoft Edge) only blind constants larger than two bytes for the performance reason, allowing attackers to emit one and two byte gadgets that are known to be sufficient to mount ROP attacks. This paper proposes a high-performance and secure constant blinding technique for JIT compilers. In this technique, we decide whether to blind a constant based on the value of the constant. If a constant includes a value that can be interpreted as a control flow instruction (e.g. ret and jmp), we blind that constant even if it is two bytes or less. Otherwise, we do not blind the constant because it cannot be used as a gadget. This technique effectively reduces the overhead of constant blinding by reducing the number of constants that must be blinded, while improving the security by eliminating the possibility that even small constants are exploited as gadgets. We implemented this technique in ChakraCore, the JIT Engine of Microsoft Edge, running on x64 systems and measured the performance of the JIT engine. Experimental results confirmed that our technique improved performance by maximum of 2.85% compared with blinding all constants.

Code-reuse attacks; JIT compiler; return-oriented programming; constant blinding