Open Bug 1853553 Opened 1 year ago Updated 1 year ago

Implement something like Safari's "Bulletproof JIT" or secure dynamic code generation (SDCG) to harden JIT

Categories

(Core :: JavaScript Engine: JIT, enhancement, P3)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
enhancement

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: Tom25519, Unassigned)

References

(Blocks 2 open bugs,
URL
)

Details

Something similar to Safari's "Bulletproof JIT" would have been a better approach, utilising two separate mappings — one writable and one executable, with the writable mapping being placed at a secret location in memory, concealed via execute-only memory. Similarly, secure dynamic code generation (SDCG) would also be a better approach — SDCG works by dynamically generating code inside a separate, trusted process. This means that it's not easily exploitable from within an untrusted renderer because the code is always read-only under all circumstances.

Bulletproof JIT
https://googleprojectzero.blogspot.com/2020/09/jitsploitation-three.html
Secure dynamic code generation (SDCG)
https://www.ndss-symposium.org/wp-content/uploads/2017/09/09_2_2.pdf

SDCG seems better.

While I appreciate the intent, a "Bulletproof JIT" using an other process to generate the JIT code had been discussed in the past, in 2017, after Chakra's implementation.

The problem is that even if we were to implement the same mechanism, the fact that JIT Sparying exists and that the generated code is readable implies that any hardening such as NOP insertions or Constant blinding can be worked around simply by using some brute-force method until the shell code is being produced by the JIT.

Also making a JIT out-of-process implies that one should be able to validate the input given to this process, because it would be as easy to let the JIT process know to not generate a guard where one is expected

Personally I would think that the first steps would be to either improve CFI, and / or improve on X-Only memory implementation.
Moving the JIT out of process is not yet possible but we are getting closer. However our JIT still keep some objects alive to prevent the GC from collecting these.

Blocks: sm-security, sm-jits
Severity: -- → N/A
Priority: -- → P3

How about SDCG (secure dynamic code generation)? By the way, it seems looks like OOP JIT: https://bugzilla.mozilla.org/show_bug.cgi?id=1348341, are they the same things?

You need to log in before you can comment on or make changes to this bug.