Loading AI tools
From Wikipedia, the free encyclopedia
JIT spraying is a class of computer security exploit that circumvents the protection of address space layout randomization and data execution prevention by exploiting the behavior of just-in-time compilation.[1] It has been used to exploit the PDF format[2] and Adobe Flash.[3]
A just-in-time compiler (JIT) by definition produces code as its data. Since the purpose is to produce executable data, a JIT compiler is one of the few types of programs that cannot be run in a no-executable-data environment. Because of this, JIT compilers are normally exempt from data execution prevention. A JIT spray attack does heap spraying with the generated code.
To produce exploit code from JIT, an idea from Dion Blazakis[4] is used. The input program, usually JavaScript or ActionScript, typically contains numerous constant values that can be erroneously executed as code. For example, the XOR operation could be used:[5]
var a = (0x11223344^0x44332211^0x44332211^ ...);
JIT then will transform bytecode to native x86 code like:
0: b8 44 33 22 11mov $0x11223344,%eax
mov eax,0x11223344
5: 35 11 22 33 44xor $0x44332211,%eax
xor eax,0x44332211
a: 35 11 22 33 44xor $0x44332211,%eax
xor eax,0x44332211
The attacker then uses a suitable bug to redirect code execution into the newly generated code. For example, a buffer overflow or use after free bug could allow the attack to modify a function pointer or return address.
This causes the CPU to execute instructions in a way that was unintended by the JIT authors. The attacker is usually not even limited to the expected instruction boundaries; it is possible to jump into the middle of an intended instruction to have the CPU interpret it as something else. As with non-JIT ROP attacks, this may be enough operations to usefully take control of the computer. Continuing the above example, jumping to the second byte of the "mov" instruction results in an "inc" instruction:
1: 44inc %esp
inc esp
2: 33 22xor (%edx),%esp
xor esp,DWORD PTR [edx]
4: 11 35 11 22 33 44adc %esi,0x44332211
adc DWORD PTR ds:0x44332211,esi
a: 35 11 22 33 44xor $0x44332211,%eax
xor eax,0x44332211
x86 and x86-64 allow jumping into the middle of an instruction, but not fixed-length architectures like ARM.
To protect against JIT spraying, the JIT code can be disabled or made less predictable for the attacker.[4]
Seamless Wikipedia browsing. On steroids.
Every time you click a link to Wikipedia, Wiktionary or Wikiquote in your browser's search results, it will show the modern Wikiwand interface.
Wikiwand extension is a five stars, simple, with minimum permission required to keep your browsing private, safe and transparent.