From Assembly to JavaScript and Back

Size: px

Start display at page:

Download "From Assembly to JavaScript and Back"

Gwenda Holmes
5 years ago
Views:

1 From Assembly to JavaScript and Back Robert Gawlik Ruhr-University Bochum August 30th 2018 Singapore

2 About me IT Security since 2010 PostDoc Systems Security Horst Görtz Institute / Ruhr-University Bochum Security Researcher at Blue Frost Security low-level security, binary analysis and exploitation, fuzzing, client-side robert.gawlik@rub.de

3 Agenda JIT-Spray on x86 and ARM and previous work Case study ASM.JS and JIT-Spray 1) CVE ) CVE (bypass of patch for (1)) Arbitrary ASM.JS payload generation Exploitation with ASM.JS JIT-Spray CVE , CVE , CVE

4 JIT Overview

5 JIT Just-In-Time Compilation (JIT) Generate native machine code from higher-level language JavaScript PHP Java ActionScript... x86_32, x86_64, ARM, AArch64

6 JIT Just-In-Time Compilation (JIT) Generate native machine code from higher-level language JavaScript PHP Java ActionScript... x86_32, x86_64, ARM, AArch64 Performance gain compared to interpreted execution

7 JIT Just-In-Time Compilation (JIT) Several compilers and optimization layers

8 JIT Just-In-Time Compilation (JIT) Several compilers and optimization layers JS: Baseline, IonMonkey ChakraCore (2 Tier JIT) Baseline, DFG, FTL TurboFan

9 JIT Just-In-Time Compilation (JIT) Several compilers and optimization layers JS: Baseline, IonMonkey ChakraCore (2 Tier JIT) ActionScript: NanoJIT Baseline, DFG, FTL TurboFan Linux Kernel: ebpf Java: PHP: HotSpot JIT HHVM JIT.Net: RyuJIT

10 JIT Just-In-Time Compilation (JIT) Several compilers and optimization layers JS: Baseline, Baseline, IonMonkey Java: DFG, FTL HotSpot JIT ChakraCore More than 13 compilation engines. (2 Tier JIT) could TurboFan What possibly gophp: wrong? HHVM JIT ActionScript: NanoJIT Linux Kernel: ebpf.net: RyuJIT

11 JIT-Spray (x86)

12 JIT-Spray 1. Hide native instructions in constants of high-level language c = 0xa c += 0xa

13 JIT-Spray 1. Hide native instructions in constants of high-level language c = 0xa c += 0xa Emitted JIT Code 00: b a8 05: a8 mov eax, 0xa add eax, 0xa

14 JIT-Spray 1. Hide native instructions in constants of high-level language c = 0xa c += 0xa Emitted JIT Code 00: b a8 05: a8 mov eax, 0xa add eax, 0xa x86 offset 1 01: 02: 03: 04: 06: 07: 08: a nop nop nop test al, 5 nop nop nop

15 JIT-Spray 1. Hide native instructions in constants of high-level language c = 0xa c += 0xa Emitted JIT Code 00: b a8 05: a8 mov eax, 0xa add eax, 0xa x86 offset 1 01: 02: 03: 04: 06: 07: 08: 90 nop 90 nop 90 nop semantic a805 test nop al, 5 90 nop 90 nop 90 nop

16 JIT-Spray 1. Hide native instructions in constants of high-level language 2. Force allocations to predictable address regions

17 JIT-Spray 1. Hide native instructions in constants of high-level language 2. Force allocations to predictable address regions function JIT(){ c = 0xa c += 0xa } While (not address_hit){ createfuncandjit() }

18 JIT-Spray 1. Hide native instructions in constants of high-level language 2. Force allocations to predictable address regions function JIT(){ c = 0xa c += 0xa } While (not address_hit){ createfuncandjit() } 0x : 0x : 0x : 0x : 0x : 0x : 0x : a nop nop nop test al, 5 nop nop nop

19 JIT-Spray 1. Hide native instructions in constants of high-level language 2. Force allocations to predictable address regions function JIT(){ c = 0xa c += 0xa } While (not address_hit){ createfuncandjit() } predictable?! 0x : 0x : 0x : 0x : 0x : 0x : 0x : a nop nop nop test al, 5 nop nop nop

20 JIT-Spray 1. Hide native instructions in constants of high-level language 2. Force allocations to predictable address regions function JIT(){ c = 0xa c += 0xa Used to } predictable?! bypass While (not address_hit){ JIT() } 0x : 90 0x : 90 ASLR and DEP 0x : 90 0x : a805 0x : 90 0x : 90 0x : 90 nop nop nop test al, 5 nop nop nop

21 JIT-Spray 1. Hide native instructions in constants of high-level language 2. Force allocations to predictable address regions function JIT(){ c = 0xa c += 0xa Used to } predictable?! 0x : 90 nop 0x : 90 nop bypass ASLR and DEP 0x : 90 nop 0x : a805 test al, 5 No info leak and code reuse necessary 0x : 90 nop While (not address_hit){ 0x : 90 nop JIT() 0x : 90 nop }

22 JIT-Spray 1. Hide native instructions in constants of high-level language 2. Force allocations to predictable address regions function JIT(){ c = 0xa c += 0xa Used to } predictable?! 0x : 90 nop 0x : 90 nop bypass ASLR and DEP 0x : 90 nop 0x : a805 test al, 5 No info leak and code reuse necessary 0x : 90 nop While address_hit){ (not Memory corruptions are easier to exploit 0x : 90 nop JIT() 0x : 90 nop }

23 Prominent JIT-Spray on x86

24 JIT-Spray Flash JIT-Spray (Dionysus Blazakis, 2010) Targets ActionScript (Tamarin VM)

25 JIT-Spray Flash JIT-Spray (Dionysus Blazakis, 2010) Targets ActionScript (Tamarin VM) Long XOR sequence gets compiled to XOR instructions

26 JIT-Spray Flash JIT-Spray (Dionysus Blazakis, 2010) Targets ActionScript (Tamarin VM) Long XOR sequence gets compiled to XOR instructions First of its kind known to public

compiled to XOR instructions Bypassed with IN operator (VAL0 IN VAL1 ^

27 JIT-Spray Flash JIT-Spray (Dionysus Blazakis, 2010) Targets ActionScript (Tamarin VM) Mitigated by constant folding Long XOR sequence gets compiled to XOR instructions Bypassed with IN operator (VAL0 IN VAL1 ^ VAL2 ^..)...and mitigated with random nop insertion First of its kind known to public

28 JIT-Spray Writing JIT Shellcode (Alexey Sintsov, 2010) Nice methods to ease and automate payload generation:

29 JIT-Spray Writing JIT Shellcode (Alexey Sintsov, 2010) Nice methods to ease and automate payload generation: split long instructions into instructions <= 3 bytes ; 5 bytes mov ebx, 0xb1b2b3b4 mov ebx, 0xb1b2xxxx ; 3 bytes mov bh, 0xb3 ; 2 bytes mov bl, 0xb4 ; 2 bytes

30 JIT-Spray Writing JIT Shellcode (Alexey Sintsov, 2010) Nice methods to ease and automate payload generation: split long instructions into instructions <= 3 bytes ; 5 bytes mov ebx, 0xb1b2b3b4 mov ebx, 0xb1b2xxxx ; 3 bytes mov bh, 0xb3 ; 2 bytes mov bl, 0xb4 ; 2 bytes semantic nops which don t change flags 00: b a 05: a8 mov eax, 0x6a add eax, 0xa : 90 04: 6a05 nop push 5

31 JIT-Spray JIT-Spray Attacks & Advanced Shellcode (Alexey Sintsov, 2010) JIT-Spray in Apple Safari on Windows possible:

32 JIT-Spray JIT-Spray Attacks & Advanced Shellcode (Alexey Sintsov, 2010) JIT-Spray in Apple Safari on Windows possible: use two of four immediate bytes as payload

33 JIT-Spray JIT-Spray Attacks & Advanced Shellcode (Alexey Sintsov, 2010) JIT-Spray in Apple Safari on Windows possible: use two of four immediate bytes as payload connect payload bytes with short jumps (stage0)

34 JIT-Spray JIT-Spray Attacks & Advanced Shellcode (Alexey Sintsov, 2010) JIT-Spray in Apple Safari on Windows possible: use two of four immediate bytes as payload connect payload bytes with short jumps (stage0) copy stage1 payload to RWX JIT page and jump to it

35 JIT-Spray JIT-Spray Attacks & Advanced Shellcode (Alexey Sintsov, 2010)

36 JIT-Spray Attacking Clientside JIT Compilers (Chris Rohlf & Yan Ivnitskiy, 2011) In depth analysis of LLVM and Firefox JIT engines

37 JIT-Spray Attacking Clientside JIT Compilers (Chris Rohlf & Yan Ivnitskiy, 2011) In depth analysis of LLVM and Firefox JIT engines JIT-Spray techniques (i.e., with floating point values)

38 JIT-Spray Attacking Clientside JIT Compilers (Chris Rohlf & Yan Ivnitskiy, 2011) In depth analysis of LLVM and Firefox JIT engines JIT-Spray techniques (i.e., with floating point values) JIT gadget techniques (gajits)

39 JIT-Spray Attacking Clientside JIT Compilers (Chris Rohlf & Yan Ivnitskiy, 2011) In depth analysis of LLVM and Firefox JIT engines JIT-Spray techniques (i.e., with floating point values) JIT gadget techniques (gajits) Comparison of JIT hardening measurements

40 JIT-Spray Attacking Clientside JIT Compilers (Chris Rohlf & Yan Ivnitskiy, 2011) In depth analysis of LLVM and Firefox JIT engines JIT-Spray techniques (i.e. with floating point values) JIT gadget techniques (gajits) Comparison of JIT hardening measurements

41 JIT-Spray Flash JIT Spraying info leak gadgets (Fermin Serna, 2013) Bypass ASLR and random NOP insertion:

42 JIT-Spray Flash JIT Spraying info leak gadgets (Fermin Serna, 2013) Bypass ASLR and random NOP insertion: spray few instructions to predictable address prevents random NOPS

43 JIT-Spray Flash JIT Spraying info leak gadgets (Fermin Serna, 2013) Bypass ASLR and random NOP insertion: spray few instructions to predictable address prevents random NOPS trigger UAF bug and call JIT gadget

44 JIT-Spray Flash JIT Spraying info leak gadgets (Fermin Serna, 2013) Bypass ASLR and random NOP insertion: spray few instructions to predictable address prevents random NOPS trigger UAF bug and call JIT gadget JIT gadget writes return address into heap spray, continue execution in JS

45 JIT-Spray Flash JIT Spraying info leak gadgets (Fermin Serna, 2013) Bypass ASLR and random NOP insertion: spray few instructions to predictable address prevents random NOPS trigger UAF bug and call JIT gadget JIT gadget writes return address into heap spray, continue execution in JS Mitigated with constant blinding in Flash 11.8

46 JIT-Spray Exploit Your Java Native Vulnerabilities on Win7/JRE7 in One Minute (Yuki Chen, 2013) JIT-Spray on Java Runtime Environment

47 JIT-Spray Exploit Your Java Native Vulnerabilities on Win7/JRE7 in One Minute (Yuki Chen, 2013) JIT-Spray on Java Runtime Environment 3 of 4 bytes of one constant usable as payload

48 JIT-Spray Exploit Your Java Native Vulnerabilities on Win7/JRE7 in One Minute (Yuki Chen, 2013) JIT-Spray on Java Runtime Environment 3 of 4 bytes of one constant usable as payload Spray multiple functions to hit predictable address (32-bit)

49 JIT-Spray Exploit Your Java Native Vulnerabilities on Win7/JRE7 in One Minute (Yuki Chen, 2013) JIT-Spray on Java Runtime Environment 3 of 4 bytes of one constant usable as payload Spray multiple functions to hit predictable address (32-bit) Jump to it with EIP control

50 JIT-Spray Exploit Your Java Native Vulnerabilities on Win7/JRE7 in One Minute (Yuki Chen, 2013) School book JIT Spray on JRE 7 3 of 4 bytes of one constant usable as payload Spray multiple functions to hit predictable address (32-bit) Jump to it with EIP control

51 JIT-Spray (ARM)

52 JIT-Spray (ARM) Too lejit to Quit (Lian et al., 2015) Target: JSC DFG JIT Thumb-2: mixed 16-bit and 32-bit instructions 16-bit alignment

53 JIT-Spray (ARM) A Call to ARMs (Lian et al., 2017) Control JIT to emit 32-bit ARM AND instructions

54 JIT-Spray (ARM) A Call to ARMs (Lian et al., 2017) Control JIT to emit 32-bit ARM AND instructions Force interpretation of AND instruction as two consecutive 16-bit Thumb-2 instructions

55 JIT-Spray (ARM) A Call to ARMs (Lian et al., 2017) Control JIT to emit 32-bit ARM AND instructions Force interpretation of AND instruction as two consecutive 16-bit Thumb-2 instructions 1st instruction: attacker operation 2nd instruction: PC-relative jump

56 JIT-Spray (ARM) A Call to ARMs (Lian et al., 2017) Control JIT to emit 32-bit ARM AND instructions Force interpretation of AND instruction as two consecutive 16-bit Thumb-2 instructions 1st instruction: attacker operation 2nd instruction: PC-relative jump self-sustained payload without resynchronization (target: Firefox IonMonkey)

57 JIT-Spray (ARM) A Call to ARMs (Lian et al., 2017) Control JIT to emit 32-bit ARM AND instructions Force interpretation of AND instruction as two consecutive JIT-Spray on 16-bit Thumb-2 instructions architecture with fixed instruction length and 1st instruction: attacker operation alignment 2nd instruction:instruction PC-relative jump self-sustained payload without resynchronization (target: Firefox IonMonkey)

58 ASM.JS JIT-Spray on OdinMonkey (x86)

59 ASM.JS Strict subset of JS OdinMonkey: Ahead-Of-Time (AOT) Compiler in Firefox Appeared in 2013 in Firefox 22 No need to frequently execute JS as in traditional JITs Generates binary blob with native machine code ASM.JS JIT-Spray possible until Firefox 52 (2017)

60 ASM.JS Simple ASM.JS module

61 ASM.JS Simple ASM.JS module Prolog directive

62 ASM.JS Simple ASM.JS module Prolog directive ASM.JS module body

63 ASM.JS Simple ASM.JS module Prolog directive ASM.JS module body Your calculations

64 ASM.JS Simple ASM.JS module Prolog directive ASM.JS module body Your calculations

65 ASM.JS Inject Code to Predictable Addresses Request ASM.JS module several times

66 ASM.JS Inject Code to Predictable Addresses Request ASM.JS module several times Search for 0xc1c2c3c4 in memory

67 ASM.JS Inject Code to Predictable Addresses Value appears in machine code a d b8c4c3c2c c404 c3 mov xchg add ret eax,0c1c2c3c4h ax,ax esp,4

68 ASM.JS Inject Code to Predictable Addresses Value appears in machine code a d b8c4c3c2c c404 c3 mov xchg add ret eax,0c1c2c3c4h ax,ax esp,4

69 ASM.JS Inject Code to Predictable Addresses Unblinded constant 0xc1c2c3c4 appears many times 09bf9024 0a a a a a c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c c c c c c d8bc304 0d8bc304 0d8bc304 0d8bc304 0d8bc304 0d8bc a a a a a761000

70 ASM.JS Inject Code to Predictable Addresses Unblinded constant 0xc1c2c3c4 appears many times 09bf9024 0a a a a a c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c d8bc many module 0a requests yield many copies c d8bc304 c d8bc304 0a c d8bc304 0a c d8bc304 0a c d8bc304 0a761000

71 ASM.JS Inject Code to Predictable Addresses Unblinded constant 0xc1c2c3c4 appears many times 09bf9024 0a a a a a c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c d8bc many module 0a requests yield many copies c d8bc304 c d8bc304 0a aligned to predictable c d8bc304 0a741000addresses c d8bc304 0a c d8bc304 0a761000

72 ASM.JS Inject Code to Predictable Addresses Unblinded constant 0xc1c2c3c4 appears many times 09bf9024 0a a a a a c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c d8bc many module 0a requests yield many copies c d8bc304 c d8bc304 0a aligned to predictable c d8bc304 0a741000addresses c d8bc304 0a c d8bc304 0a ASM.JS JIT-Spray unlocked

ASM.JS Inject Code to Predictable Addresses Unblinded constant 0xc1c2c3c4 appears many times 09bf9024 0a720024 0a730024 0a740024 0a750024 0a760024.

73 ASM.JS Inject Code to Predictable Addresses Unblinded constant 0xc1c2c3c4 appears many times 09bf9024 0a a a a a c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c1c2c3c4 c c c c c c d8bc304 0d8bc304 0d8bc304 0d8bc304 0d8bc304 0d8bc a a a a a761000

74 ASM.JS JIT-Spray CVE Example: nop sled with ASM.JS (Firefox bit)

75 ASM.JS JIT-Spray

76 ASM.JS JIT-Spray No info leak, no code reuse, use your vuln to point EIP to your payload

77 ASM.JS JIT-Spray CVE The flaw (simplified) 1) 2) 3) 4) 5) ASM.JS module is compiled into RW region each module request executes VirtualAlloc many RW regions at 64k granularity predictable compiled module code is copied many times to RW regions RW regions are VirtualProtect ed to RX

78 ASM.JS JIT-Spray CVE The patch 1) Randomize VirtualAlloc allocations randomaddr = ComputeRandomAllocationAddress(); p = VirtualAlloc(randomAddr,... if (!p) { // Try again without randomaddr. p = VirtualAlloc(nullPtr,...

79 ASM.JS JIT-Spray CVE The patch 1) Randomize VirtualAlloc allocations randomaddr = ComputeRandomAllocationAddress(); p = VirtualAlloc(randomAddr,... if (!p) { // Try again without randomaddr. p = VirtualAlloc(nullPtr,... 2) Limit ASM.JS RX code per process to 160MB maxcodebytesperprocess = 160 * 1024 * 1024;

80 ASM.JS JIT-Spray CVE The patch 1) Randomize VirtualAlloc allocations randomaddr = ComputeRandomAllocationAddress(); p = VirtualAlloc(randomAddr,... Firefox 51 Fixed in if (!p) { Bypass it! // Try again without randomaddr. p = VirtualAlloc(nullPtr,... CVE ) Limit ASM.JS RX code per process to 160MB maxcodebytesperprocess = 160 * 1024 * 1024;

81 ASM.JS JIT-Spray CVE Bypass patch (1): force fallback code p = VirtualAlloc(randomAddr,... if (!p) { // Try again without randomaddr. p = VirtualAlloc(nullPtr,...

82 ASM.JS JIT-Spray CVE Bypass patch (1): force fallback code p = VirtualAlloc(randomAddr,... if (!p) { // Try again without randomaddr. p = VirtualAlloc(nullPtr,...

83 ASM.JS JIT-Spray CVE Bypass patch (1): force fallback code p = VirtualAlloc(randomAddr,... if (!p) { // Try again without randomaddr. p = VirtualAlloc(nullPtr,... occupy as many 64k addresses as possible with Typed Arrays heap spray to decrease entropy

84 ASM.JS JIT-Spray CVE Bypass patch (1): force fallback code p = VirtualAlloc(randomAddr,... if (!p) { // Try again without randomaddr. p = VirtualAlloc(nullPtr,... occupy as many 64k addresses as possible with Typed Arrays heap spray to decrease entropy randomaddr ASM.JS JIT allocations will fail fallback allocations become predictable again

85 ASM.JS JIT-Spray CVE Bypass patch (2): stay within ASM.JS code limit of 160MB maxcodebytesperprocess = 160 * 1024 * 1024;

86 ASM.JS JIT-Spray CVE Bypass patch (2): stay within ASM.JS code limit of 160MB maxcodebytesperprocess = 160 * 1024 * 1024; spray max allocations allowed, assuming that each module becomes < 64KB (estimation good enough for exploitation)

87 ASM.JS JIT-Spray CVE Bypass patch (2): stay within ASM.JS code limit of 160MB maxcodebytesperprocess = 160 * 1024 * 1024; spray max allocations allowed, assuming that each module becomes < 64KB (estimation good enough for exploitation) Release memory allocated with Typed Array Spray (1)

88 ASM.JS JIT-Spray

89 ASM.JS JIT-Spray CVE The patch major redesign reserve maxcodebytesperprocess range on startup difficult to predict address commit/decommit from this set of pages for ASM.JS/Wasm when requested

90 ASM.JS Payloads

91 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code How to inject arbitrary code?

92 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Arithmetic instructions

93 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Arithmetic instructions 01: 02: 03: 04: 06: 07: 08: a nop nop nop test al, 5 nop nop nop

94 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Arithmetic instructions 01: 02: 03: 04: 06: 07: 08: a nop nop nop test al, 5 nop nop nop problems: - constant folding - test changes flags

95 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Setting array elements

96 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Setting array elements 01: 02: 03:.. 11: 12: 13: eb0c nop nop jmp 0x eb0c nop nop jmp 0x21

97 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Setting array elements 2 payload bytes 01: 02: 03:.. 11: 12: 13: eb0c nop nop jmp 0x eb0c nop nop jmp 0x21

98 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Setting array elements 2 payload bytes connect with jumps 01: 02: 03:.. 11: 12: 13: eb0c nop nop jmp 0x eb0c nop nop jmp 0x21

99 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Using ASM.JS imports (Foreign Function Interface)

100 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Using ASM.JS imports (Foreign Function Interface) import a JS function into your ASM.JS code

101 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Using ASM.JS imports (Foreign Function Interface) import a JS function into your ASM.JS code call it with many parameters

102 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Using ASM.JS imports (Foreign Function Interface) import a JS function into your ASM.JS code call it with many parameters hide payload in parameters

103 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Using ASM.JS imports (Foreign Function Interface) 00: c a9 mov dword [esp], 0xa : c a9 mov dword [esp + 4], 0xa f: c a9 mov dword [esp + 8], 0xa emitted code

104 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Using ASM.JS imports (Foreign Function Interface) 03: 04: 05: 06: 0b: 0c: 0d: 0e: a9c a9c nop nop nop test eax,42444c7h nop nop nop test eax,82444c7h

105 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Using ASM.JS imports (Foreign Function Interface) 03: 04: 05: 06: 0b: 0c: 0d: 0e: 90 nop 90 nop 3 payload 90 nop bytes per instruction a9c test eax,42444c7h 90 nop 90 nop large semantic nops 90 nop a9c test eax,82444c7h

106 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Double values as parameters for FFI

107 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Double values as parameters for FFI

108 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Double values as parameters for FFI emitted code

109 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Double values as parameters for FFI emitted code double constant values are referenced

110 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Double values as parameters for FFI emitted code double constant values are referenced

111 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Double values as parameters for FFI emitted code double constant values are referenced

112 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Double values as parameters for FFI constants executable! emitted code doubleare constant values are referenced constants are continuous in memory! full constant usable as payload! able to embed continuous code!

113 Automated Payload Generation

114 ASM.JS Payloads Automated payload generation (sc2asmjs.py) Input: x86 assembly shellcode, or loader and payload sc2asmjs.py assembles it, transforms instructions, fixes branch-target distances Output: ASM.JS code containing your payload During exploit/run time: ASM.JS machine code

115 ASM.JS Payloads Automated payload generation (sc2asmjs.py) Problems of automated payload generation: x86 instruction size <= 3 bytes (arithmetics) or <= 2 bytes (parameter passing) branch target distance, loops? side effects of semantic nops?

116 ASM.JS Payloads Automated payload generation (sc2asmjs.py) Some problems solved transform MOVs preserve flags when needed loop and branch adjustments

117 ASM.JS Payloads Automated payload generation (sc2asmjs.py) Some problems solved transform MOVs preserve flags when needed loop and branch adjustments

118 ASM.JS Payloads Automated payload generation (sc2asmjs.py) Transform MOVs (example)

119 ASM.JS Payloads Automated payload generation (sc2asmjs.py) Transform MOVs (example)

120 ASM.JS Payloads Automated payload generation (sc2asmjs.py) Transform MOVs (example)

121 ASM.JS Payloads Automated payload generation (sc2asmjs.py) Transform MOVs (example)

122 ASM.JS Payloads Automated payload generation (sc2asmjs.py) Transform MOVs (example) Instructions <= 2 bytes stage0 compatible

123 ASM.JS Payloads Automated payload generation (sc2asmjs.py) Transform MOVs (example) ASM.JS code

124 ASM.JS Payloads Automated payload generation (sc2asmjs.py) Transform MOVs (example)

125 ASM.JS Payloads Automated payload generation (sc2asmjs.py) Transform MOVs (example) sprayed ASM.JS payload

126 Exploitation

127 ASM.JS JIT-Spray Exploits Exploiting CVE Appeared in the wild (Tor Browser)

128 ASM.JS JIT-Spray Exploits Exploiting CVE Appeared in the wild (Tor Browser) Analysis and bug trigger available in Mozilla Bug report

129 ASM.JS JIT-Spray Exploits Exploiting CVE Appeared in the wild (Tor Browser) Analysis and bug trigger available in Mozilla Bug report Take crashing testcase find a road to EIP to write alternative exploit with ASM.JS JIT-Spray

130 ASM.JS JIT-Spray Exploits Exploiting CVE Appeared in the wild (Tor Browser) Analysis and bug trigger available in Mozilla Bug report Take crashing testcase find a road to EIP to write alternative exploit with ASM.JS JIT-Spray Much simpler than original exploit no info leak and code reuse

131 ASM.JS JIT-Spray Exploits Exploiting CVE Firefox bit ( c): Access violation - code c (first chance) mov eax,dword ptr [ecx+0ach] ds:002b:414141ed=???????? 0:000>?eip-xul Evaluate expression: = 007a00dd

132 ASM.JS JIT-Spray Exploits Exploiting CVE Firefox bit ( c): Access violation - code c (first chance) mov eax,dword ptr [ecx+0ach] ds:002b:414141ed=???????? 0:000>?eip-xul Evaluate expression: = 007a00dd ECX is controlled at xul.dll + 0x7a00dd

133 ASM.JS JIT-Spray Exploits Exploiting CVE Firefox bit search for EIP control after xul.dll + 0x7a00dd follow 5 calls and you find: xul + 0x1c0cb8: call dword [eax + 0x138]

134 ASM.JS JIT-Spray Exploits Exploiting CVE Firefox bit search for EIP control after xul.dll + 0x7a00dd follow 5 calls and you find: xul + 0x1c0cb8: call dword [eax + 0x138] Exploit: - ASM.JS JIT-Spray to 0x1c1c0054

135 ASM.JS JIT-Spray Exploits Exploiting CVE Firefox bit search for EIP control after xul.dll + 0x7a00dd follow 5 calls and you find: xul + 0x1c0cb8: call dword [eax + 0x138] Exploit: - ASM.JS JIT-Spray to 0x1c1c Typed Array spray for controlling memory at ECX and EAX

136 ASM.JS JIT-Spray Exploits Exploiting CVE Firefox bit search for EIP control after xul.dll + 0x7a00dd follow 5 calls and you find: xul + 0x1c0cb8: call dword [eax + 0x138] Exploit: - ASM.JS JIT-Spray to 0x1c1c Typed Array spray for controlling memory at ECX and EAX - Trigger the bug

137 ASM.JS JIT-Spray Exploits Exploiting CVE

138 ASM.JS JIT-Spray Exploits Exploiting CVE Firefox bit HTML5 parser heap-buffer-overflow

139 ASM.JS JIT-Spray Exploits Exploiting CVE Firefox bit HTML5 parser heap-buffer-overflow Analysis and crashing testcase available in Mozilla Bug report

140 ASM.JS JIT-Spray Exploits Exploiting CVE Firefox bit HTML5 parser heap-buffer-overflow Analysis and crashing testcase available in Mozilla Bug report Patched at several vulnerable code paths

141 ASM.JS JIT-Spray Exploits Exploiting CVE Crashing testcase targets difficult to exploit code path bruteforce necessary

142 ASM.JS JIT-Spray Exploits Exploiting CVE Crashing testcase targets difficult to exploit code path bruteforce necessary Further analysis based on other patched code paths easier to exploit code path available modification of crashing testcase reaches path

143 ASM.JS JIT-Spray Exploits Exploiting CVE Easier-to-exploit code path:

144 ASM.JS JIT-Spray Exploits Exploiting CVE Easier-to-exploit code path: 1) integer underflow 1)

145 ASM.JS JIT-Spray Exploits Exploiting CVE Easier-to-exploit code path: 2) 1) integer underflow 2) control over node object 1)

146 ASM.JS JIT-Spray Exploits Exploiting CVE Easier-to-exploit code path: 3) 2) 1) integer underflow 2) control over node object 3) group is constant no need to bruteforce 1)

ASM.JS JIT-Spray Exploits Exploiting CVE-2016-2819 Easier-to-exploit code path: 3) 4) 1) 2) 1) integer underflow

147 ASM.JS JIT-Spray Exploits Exploiting CVE Easier-to-exploit code path: 3) 4) 1) 2) 1) integer underflow 2) control over node object 3) group is constant no need to bruteforce 4) pop() calls node release() EIP control

148 ASM.JS JIT-Spray Exploits Exploiting CVE

149 ASM.JS JIT-Spray Exploits Exploiting CVE Firefox bit Use-after-free in HTML5 string parser

150 ASM.JS JIT-Spray Exploits Exploiting CVE Firefox bit Use-after-free in HTML5 string parser Analysis and crashing testcase available in Mozilla Bug report

151 ASM.JS JIT-Spray Exploits Exploiting CVE Firefox bit Use-after-free in HTML5 string parser Analysis and crashing testcase available in Mozilla Bug report Looks suspiciously similar to CVE

152 ASM.JS JIT-Spray Exploits Exploiting CVE While crashing testcase is different from CVE , it exercises same (difficult to exploit) code path public exploit uses bruteforce approach

153 ASM.JS JIT-Spray Exploits Exploiting CVE While crashing testcase is different from CVE , it exercises same (difficult to exploit) code path public exploit uses bruteforce approach Let s try something: modify crashing testcase in same way as for CVE works! EIP control and ASM.JS payload execution

154 Conclusion

155 Conclusion JIT-Spray simplified client-side exploitation ASM.JS in OdinMonkey (x86) was the perfect JIT-Spray target JIT-Spray was possible on x86 and ARM JIT-Spray is infeasible in a large (64-bit) address space, under ASLR and Control-Flow Integrity JIT compilers have a big attack surface and remain prone to vulnerabilities

156 Thank you! Questions?

157 Appendix: Additional and Alternative Slides

158 References

159 References

160 References

161 More Flaws beyond JIT-Spray

162 Beyond JIT-Spray JIT-related flaws More exploit-mitigation bypasses DEP and CFG Bypass (Tencent, 2015)

163 Beyond JIT-Spray JIT-related flaws More exploit-mitigation bypasses DEP and CFG Bypass (Tencent, 2015) Chakra-JIT CFG Bypass (Theori, 2016)

164 Beyond JIT-Spray JIT-related flaws More exploit-mitigation bypasses DEP and CFG Bypass (Tencent, 2015) Chakra-JIT CFG Bypass (Theori, 2016) ACG Bypass (Ivan Fratric, 2018)

165 Beyond JIT-Spray JIT-related flaws Vulnerabilities in JIT-compilers Web Assembly bugs found by Google P0

166 Beyond JIT-Spray JIT-related flaws Vulnerabilities in JIT-compilers Web Assembly bugs found by Google P0 Safari JIT (Pwn2Own 2017, Pwn2Own 2018)

167 Beyond JIT-Spray JIT-related flaws Vulnerabilities in JIT-compilers Web Assembly bugs found by Google P0 Safari JIT (Pwn2Own 2017, Pwn2Own 2018) Chrome 63 (Windows OSR Team)

168 Beyond JIT-Spray JIT-related flaws Vulnerabilities in JIT-compilers Web Assembly bugs found by Google P0 Safari JIT (Pwn2Own 2017, Pwn2Own 2018) Chrome 63 (Windows OSR Team) Chakra JIT (CVE , CVE )

169 JIT-based Code Reuse

170 JIT-Code Reuse Similar to JIT-Spray but requires info leak Abuse JIT to achieve various goals: two payload bytes are enough to create gadgets bypass static ROP protections hide code within direct branch offsets bypass Execute-Only Memory find 4-byte constants missed by constant blinding bypass constant blinding and create gadgets

171 Automated Payload Generation: Preserving Flags

172 ASM.JS Payloads Automated payload generation Preserve flags when needed - payload we want to insert: 3C E CMP AL, 61 JE $+0x10

173 ASM.JS Payloads Automated payload generation Preserve flags when needed - payload we want to insert: - sprayed payload: 3C E 3C 10 A E CMP AL, 61 JE $+0x10 CMP AL, 61 TEST AL, 05 JE $+0x10

174 ASM.JS Payloads Automated payload generation Preserve flags when needed - payload we want to insert: - sprayed payload: 3C E 3C 10 A E CMP AL, 61 JE $+0x10 CMP AL, 61 semantic TEST AL, 05 nop kills flags JE $+0x10

175 ASM.JS Payloads Automated payload generation Preserve flags when needed - payload we want to insert: 3C 10 A E - sprayed payload: - save and restore flags around semantic nop 3C E 3C 10 9C A8 05 9D 74 0E CMP AL, 61 JE $+0x10 CMP AL, 61 semantic TEST AL, 05 nop kills flags JE $+0x10 CMP AL, 61 PUSHFD TEST AL, 05 POPFD JE $+0x10 --> save flags --> kills flags --> restore flags

176 Float Pool Spray: Alternative Slides

177 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Foreign function call with double values

178 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Foreign function call with double values 0x00: 0x08: 0x10: 0x18:... movsd movsd movsd movsd xmm1, xmm3, xmm2, xmm0, mmword mmword mmword mmword [****0530] [****0538] [****0540] [****0548] ****0530: ****0540:

179 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Foreign function call with double values 0x00: 0x08: 0x10: 0x18:... movsd movsd movsd movsd xmm1, xmm3, xmm2, xmm0, mmword mmword mmword mmword [****0530] [****0538] [****0540] [****0548] ****0530: ****0540: constants are referenced

180 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Foreign function call with double values 0x00: 0x08: 0x10: 0x18:... movsd movsd movsd movsd xmm1, xmm3, xmm2, xmm0, mmword mmword mmword mmword [****0530] [****0538] [****0540] [****0548] ****0530: ****0540: constants are referenced same executable region

181 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Foreign function call with double values 0x00: 0x08: 0x10: 0x18:... movsd movsd movsd movsd xmm1, xmm3, xmm2, xmm0, mmword mmword mmword mmword [****0530] [****0538] [****0540] [****0548] ****0530: ****0540: constants are referenced same executable region continuous in address space

182 ASM.JS Payloads ASM.JS Statements Suitable to Embed Code Foreign function call with double values 0x00: 0x08: 0x10: 0x18:... movsd movsd movsd movsd xmm1, xmm3, xmm2, xmm0, mmword mmword mmword mmword [****0530] [****0538] [****0540] [****0548] ****0530: ****0540: constants are referenced same executable region continuous in address space gapless, arbitrary shellcode possible

Attacking Client Side JIT Compilers. BlackHat 2011

Attacking Client Side JIT Compilers BlackHat 2011 Introduction Chris Rohlf - Principal Security Consultant @chrisrohlf chris@matasano.com Yan Ivnitskiy - Security Consultant @yan yan@matasano.com http://www.matasano.com/research