Just-In-Time (JIT) compilers help power most modern web browsers and are prevalent in interpreted virtual machines such as the JVM and .NET runtimes. JITs postpone deriving machine code from an intermediate format until execution time and can substantially increase performance of interpreted code. Since JITs are optimized for execution speed and generate machine code in memory by design, they raise a number of security issues. Our research surveys competing JIT designs to evaluate their comparative maturity and deep dives on the Mozilla Javascript and LLVM JITs. We wrote grammar fuzzers for ECMAScript/Javascript and LLVM IR to expose security vulnerabilities, focusing on memory corruption and information leaks. We evaluate how JIT engines may be used to bypass memory protections such as DEP and ASLR.
In addition to our destructive fuzzers we created a reusable toolchain, jitter, to help assist in our research. Our jitter tools are built on the dynamic debugging library Ragweed to track, disassemble and analyze JIT page allocations in real time. These tools are useful to both the developers of JIT engines and vulnerability researchers in generically analyzing JIT behavior. The security community has just begun to explore these complex components. We feel our ideas, tools and results will be applicable to other JIT compilers and help advance the state of security research of the modern web browsers and language runtimes that use them.
Yan Ivnitskiy is a security consultant for Matasano Security with 5 years experience as a security researcher. Prior to Matasano Security, Yan was an analyst for the Department of Defense. Yan received his BS and MS degrees in Computer Science from Polytechnic University.
Chris Rohlf is a Principal Security Consultant with Matasano Security in NYC. He has spent the last 8 years as a security developer, consultant and a vulnerability researcher for different organizations including the US Department of Defense. Chris has published many security advisories in widely used software, authored reverse engineering tools and won 2nd place in Googles Native Client security contest. Chris has previously spoken at industry conferences including Black Hat 2009.