how to avoid implement an exploit friendly jit
TRANSCRIPT
![Page 1: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/1.jpg)
How To Avoid Implement An Exploit Friendly JIT
Yunhai Zhang
twitter: @_f0rgetting_
weibo: @f0rgetting
![Page 2: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/2.jpg)
Who am I
• Yunhai Zhang
• Researcher of NSFOCUS Security Team
• Focus on Exploit Detection and Prevention
• Winner of Mitigation Bypass Bounty: 2014-2016
![Page 3: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/3.jpg)
Agenda
• Motivations
• Previous Work
• Issue 1: RWX Page
• Issue 2: Bad Neighbor
• Issue 3: Unsecure Default Behavior
• Conclusion
![Page 4: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/4.jpg)
Motivations
• Why talk about JIT?• JIT is widely used in modern software
• All major web browsers use JIT
• What JIT do is just similar to what exploit need• Generate some code dynamically and execute it
![Page 5: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/5.jpg)
Previous Work
• Interpreter Exploitation: Pointer Inference and JIT Spraying• Dion Blazakis, Aug 2010
• Attacking Client Side JIT Compilers• Chris Rohlf and Yan Ivnitskiy, Aug 2011
• Bypass DEP and CFG using JIT compiler in Chakra engine• Yang Yu AKA tombkeeper, Dec 2015
![Page 6: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/6.jpg)
Issue 1: RWX Page
![Page 7: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/7.jpg)
Issue 1: RWX Page
• RWX Page is a disaster for mitigation
• Avoid using RWX Page seems to be obvious
• Many popular software still use RWX Pages
![Page 8: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/8.jpg)
Issue 1: RWX Page
![Page 9: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/9.jpg)
DEMO
![Page 10: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/10.jpg)
Issue 1: RWX Page
• Chrome• V8 JavaScript Engine
• v8::internal::Code is allocated with PAGE_EXECUTE_READWRITE
![Page 11: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/11.jpg)
Issue 1: RWX Page
![Page 12: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/12.jpg)
Issue 1: RWX Page
• Opera• V8 JavaScript Engine
![Page 13: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/13.jpg)
DEMO
![Page 14: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/14.jpg)
Issue 1: RWX Page
![Page 15: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/15.jpg)
Issue 1: RWX Page
• Firefox• SpiderMonkey JavaScript Engine
• RWX Pages are removed since version 46
![Page 16: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/16.jpg)
Issue 1: RWX Page
• Firefox• Still use RWX Pages
![Page 17: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/17.jpg)
DEMO
![Page 18: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/18.jpg)
Issue 1: RWX Page
![Page 19: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/19.jpg)
Issue 1: RWX Page
• IE & Edge• Chakra JavaScript Engine
• No RWX Pages
![Page 20: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/20.jpg)
Issue 1: RWX Page
• IE & Edge• There used to be a more general issue
![Page 21: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/21.jpg)
DEMO
![Page 22: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/22.jpg)
Issue 1: RWX Page
• What is this RWX Page?• ATL Thunk Pool
![Page 23: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/23.jpg)
Issue 1: RWX Page
• How is ATL Thunk Pool allocated?• __AllocStdCallThunk_cmn
PAGE_EXECUTE_READWRITE
![Page 24: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/24.jpg)
Issue 1: RWX Page
• Where is ATL Thunk Pool?
Module!__AtlThunkPool
PEB
__AtlThunkHead
RWX Page
+0x034 AtlThunkSListPtr32
Thunk
Thunk
Thunk
![Page 25: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/25.jpg)
Issue 1: RWX Page
• Who use ATL Thunk Pool?
![Page 26: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/26.jpg)
Issue 1: RWX Page
• Who use ATL Thunk Pool?
![Page 27: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/27.jpg)
Issue 1: RWX Page
• Who use ATL Thunk Pool?
![Page 28: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/28.jpg)
Issue 1: RWX Page
• Fix of the Issue• A new library atlthunk.dll is introduced
• AtlThunk_AllocateData is called instead of __AllocStdCallThunk_cmn• No RWX Page anymore
![Page 29: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/29.jpg)
Issue 2: Bad Neighbor
![Page 30: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/30.jpg)
Issue 2: Bad Neighbor
• Is RWX necessary?
• Not at the same time• When preparing shellcode RW is enough
• When executing shellcode X is enough
![Page 31: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/31.jpg)
• How chakra manage JIT code
Issue 2: Bad Neighbor
Buffer Buffer JIT Code JIT Code
PAGE_EXECUTE PAGE_EXECUTE_READWRITE PAGE_EXECUTE_READWRITE PAGE_EXECUTE
VirtualProtect memcpy_s VirtualProtect
![Page 32: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/32.jpg)
Issue 2: Bad Neighbor
• The granularity of VirtualProtect is Page
![Page 33: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/33.jpg)
• Bad neighbor
Issue 2: Bad Neighbor
Buffer Buffer JIT Code JIT Code
PAGE_EXECUTE PAGE_EXECUTE_READWRITE PAGE_EXECUTE_READWRITE PAGE_EXECUTE
VirtualProtect memcpy_s VirtualProtect
![Page 34: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/34.jpg)
Issue 2: Bad Neighbor
• How Chakra allocate buffer for JIT• Allocate from CustomHeap
• Try to find an existing Page in the buckets• PAGE_EXECUTE
• Allocate a new Page if failed to get one• PAGE_READWRITE
• Buffer is allocated from that Page
![Page 35: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/35.jpg)
DEMO
![Page 36: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/36.jpg)
• Fix of the Issue
Issue 2: Bad Neighbor
0xcc 0xcc
Buffer Buffer JIT Code JIT Code
PAGE_EXECUTE PAGE_EXECUTE_READWRITE PAGE_EXECUTE_READWRITE PAGE_EXECUTE
VirtualProtect memcpy_s VirtualProtect
![Page 37: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/37.jpg)
Issue 3: Unsecure Default Behavior
![Page 38: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/38.jpg)
• Review previous issue – new page
Issue 3: Unsecure Default Behavior
0xcc 0xcc
Buffer Buffer JIT Code JIT Code
PAGE_EXECUTE PAGE_EXECUTE_READWRITE PAGE_EXECUTE_READWRITE PAGE_EXECUTE
VirtualProtect memcpy_s VirtualProtect
![Page 39: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/39.jpg)
Issue 3: Unsecure Default Behavior
• Review previous issue – existing page
0xcc 0xcc
Buffer Buffer
JIT Code JIT Code
PAGE_EXECUTE PAGE_EXECUTE_READWRITE PAGE_EXECUTE_READWRITE PAGE_EXECUTE
VirtualProtect memcpy_s VirtualProtect
JIT Code JIT Code
JIT Code JIT Code
![Page 40: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/40.jpg)
Issue 3: Unsecure Default Behavior
• Only remaining part are sanitized
0xcc 0xcc
Buffer Buffer
PAGE_EXECUTE PAGE_EXECUTE_READWRITE PAGE_EXECUTE_READWRITE PAGE_EXECUTE
VirtualProtect memcpy_s VirtualProtect
JIT Code JIT Code
![Page 41: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/41.jpg)
Issue 3: Unsecure Default Behavior
• Problem• The existing Page is PAGE_EXECUTE
• We can not write shellcode there
• Solution• CustomHeap search buckets for an existing Page
• We can control which Page is used by inserting a fake one• PAGE_READWRITE
![Page 42: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/42.jpg)
Issue 3: Unsecure Default Behavior
• Why CFG did not prevent those exploits?
![Page 43: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/43.jpg)
Issue 3: Unsecure Default Behavior
• CFG is not enabled by default• VirtualAlloc will set all locations in the pages as valid
• Unless PAGE_TARGETS_INVALID is explicitly set
![Page 44: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/44.jpg)
Issue 3: Unsecure Default Behavior
• CFG is not enabled by default• VirtualProtect will update all locations in the pages as valid
• Unless PAGE_TARGETS_NO_UPDATE is explicitly set
![Page 45: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/45.jpg)
Issue 3: Unsecure Default Behavior
• CFG is not enabled by default• Maybe compatibility reason
• Otherwise SetProcessValidCallTargets must be called explicitly
![Page 46: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/46.jpg)
Issue 3: Unsecure Default Behavior
• Fix of the Issue• Enable CFG in JIT explicitly
![Page 47: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/47.jpg)
Conclusion
• JIT implement is not secure enough currently
• Some guideline should be followed to implement JIT securely
![Page 48: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/48.jpg)
Recommended Practice
• When allocating Buffer for JIT• Allocate a page with PAGE_READWRITE | PAGE_TARGETS_INVALID
• Sanitize the whole page
• Covert the Page to PAGE_EXECUTE | PAGE_TARGETS_NO_UPDATE
• Add the Page to Buffer Manager
![Page 49: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/49.jpg)
• When writing Code to Buffer• Get a Page from Buffer Manager
• Verify that the Page is still PAGE_EXECUTE
• Convert the Page to PAGE_EXECUTE_READWRITE | PAGE_TARGETS_NO_UPDATE
• Copy the code to the Page
• Sanitize unused part of that Page
• Revert the Page to PAGE_EXECUTE | PAGE_TARGETS_NO_UPDATE
• Call SetProcessValidCallTargets for the entrance
Recommended Practice
![Page 50: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/50.jpg)
Call to Action
• Never use PAGE_EXECUTE_READWRITE
• Always sanitize unused memory in the same Page
• Always enable CFG explicitly
![Page 51: How To Avoid Implement An Exploit Friendly JIT](https://reader030.vdocument.in/reader030/viewer/2022021419/587a4f591a28ab00148b6f41/html5/thumbnails/51.jpg)
Questions?