攻击网页浏览器:面向脚本代码块的ROP Gadget注入

即时编译机制（just-in-time compilation）改善了网页浏览器执行JavaScript脚本的性能，同时也为攻击者向浏览器进程注入恶意代码提供了便利.借助即时编译器，攻击者可以将脚本中的整型常数放置到动态代码缓存区，以便注入二进制恶意代码片段（称为gadget）.通过常数致盲等去毒化处理，基于常数的注入已经得到有效遏制.证实了不使用常数转而通过填充脚本代码块也能实施gadget注入，并实现图灵完备的计算功能.在编译一段给定的脚本代码时，即时编译器生成的动态代码中通常存在着一些固定的机器指令序列.这些指令序列的存在性不受常数致盲和地址空间布局随机化等安全机制的影响，同时，这些指令序列中可能蕴涵着攻击者期望的gadget.在实施攻击时，攻击者可以汇集特定的脚本代码块来构造一个攻击脚本，再借助即时编译器来注入gadget.在x86-64架构上评估了这种注入攻击在SpiderMonkey和GoogleV8这两个开源即时编译引擎上的可行性.通过给这两个引擎输入大量的JavaScript脚本，可以得到较为丰富的动态代码块.在这些动态代码块上的统计分析结果表明，这两个引擎生成的动态代码中都存在图灵完备的gadget集合.在实际攻击场景中，攻击者可以利用的脚本集合完全包含且远远多于实验用的脚本.因此，攻击者可以采用该方法注入需要的gadget，以便构造出实现任意功能的ROP（return-orientedprogramming）代码.

Attacking Web Browser: ROP Gadget Injection by Using JavaScript Code Blocks

Modern Web browsers introduce just-in-time (JIT) compilation mechanism to improve their performance on executing JavaScript applications. However, this mechanism has already been abused by attackers to inject malicious code. For instance, as JIT compilers may place JavaScript integers into code-cache in the form of operands of machine instructions, attackers can inject return-oriented programming (ROP) gadgets by crafting JavaScript integers. Fortunately, integer-based injection attacks have already been mitigated by techniques such as constant blinding. This work demonstrates that attackers can also inject ROP gadgets by using JavaScript code blocks instead of integer values. The idea of this injection scheme is based on the observation that the dynamic code generated by JIT compilers for a given JavaScript code snippet always has some immutable machine instruction sequences. The existence of these sequences is not affected by security mechanisms including constant blinding and address randomization. Moreover, these instruction sequences may contain ROP gadgets needed by attackers. Therefore, attackers can use JavaScript code blocks to obtain these gadgets in their attacks. The proposed injection scheme on SpiderMonkey and GoogleV8 is evaluated by running on x86-64 architecture. These two JIT engines are fed with JavaScript applications from well-known benchmarks and got a great many of dynamic code blocks. Statistical results show that Turing-complete sets of gadgets can be got in these code blocks. In real word attack senarios, the available JavaScript applications can be used by an adversary contain and are far more than those from benchmarks. Therefore, an adversary can apply the proposed scheme to inject gadgets for constructing ROP code to conduct arbitrary computation.