Title :
JITScope: Protecting web users from control-flow hijacking attacks
Author :
Chao Zhang ; Niknami, Mehrdad ; Chen, Kevin Zhijie ; Chengyu Song ; Zhaofeng Chen ; Song, Dawn
Author_Institution :
Univ. of California, Berkeley, Berkeley, CA, USA
fDate :
April 26 2015-May 1 2015
Abstract :
Web browsers are one of the most important enduser applications to browse, retrieve, and present Internet resources. Malicious or compromised resources may endanger Web users by hijacking web browsers to execute arbitrary malicious code in the victims´ systems. Unfortunately, the widely-adopted Just-In-Time compilation (JIT) optimization technique, which compiles source code to native code at runtime, significantly increases this risk. By exploiting JIT compiled code, attackers can bypass all currently deployed defenses. In this paper, we systematically investigate threats against JIT compiled code, and the challenges of protecting JIT compiled code. We propose a general defense solution, JITScope, to enforce Control-Flow Integrity (CFI) on both statically compiled and JIT compiled code. Our solution furthermore enforces the W⊕X policy on JIT compiled code, preventing the JIT compiled code from being overwritten by attackers. We show that our prototype implementation of JITScope on the popular Firefox web browser introduces a reasonably low performance overhead, while defeating existing real-world control flow hijacking attacks.
Keywords :
Internet; data protection; online front-ends; source code (software); CFI; Firefox Web browser; Internet resources; JIT compiled code; JIT optimization technique; JITScope; W⊕X policy; Web user protection; arbitrary malicious code; control-flow hijacking attacks; control-flow integrity; just-in-time compilation; source code compilation; Browsers; Engines; Instruments; Layout; Runtime; Safety; Security;
Conference_Titel :
Computer Communications (INFOCOM), 2015 IEEE Conference on
Conference_Location :
Kowloon
DOI :
10.1109/INFOCOM.2015.7218424
