JIT Spray技术

什么是 JIT Spray

参考自维基百科

A just-in-time compiler(JIT) by definition produces code as its data. Since the purpose is to produce executable data, a JIT compiler is one of the few types of programs that cannot be run in a no-executable-data environment. Because of this, JIT compilers are normally exempt from data execution prevention. A JIT spray attack does heap spraying with the generated code.

JIT 被定义为输出的数据是代码。因为生成的是可执行的数据，一个JIT编译器是少数几个必须运行在数据可执行的环境上。因为这样，JIT编译器通常绕过数据执行保护。JIT spray攻击对生成的代码做heap spray。

The input program, typically JavaScript or ActionScript, typically contains numerous constant values that can be erroneously executed as code.

输入的代码通常是JavaScript、ActionScript。通常包括大量的能够被错误的被当作代码执行的常量。看下面的栗子，

var a = (0x11223344^0x44332211^0x44332211^ ...);

JIT转化的字节码到x86汇编代码如下

0:  b8 44 33 22 11      mov eax,0x11223344
5:  35 11 22 33 44      xor eax,0x44332211
a:  35 11 22 33 44      xor eax,0x44332211

The attacker then uses a suitable bug to redirect code execution into the newly generated code. For example, a buffer overflow or use after free bug could allow the attack to modify a function pointer or return address.

攻击者就会使用合适的bug重定向代码执行流到新生成地代码。举个栗子，一个缓冲区溢出或者UAF的bug可以允许攻击者去修改一个函数指针或者返回地址。

The attacker is usually not even limited to the expected instruction boundaries; it is possible to jump into the middle of an intended instruction to have the CPU interpret it as something else. As with non-JIT ROP attacks, this may be enough operations to usefully take control of the computer. Continuing the above example, jumping to the second byte of the "mov" instruction results in an "inc" instruction:

攻击者通常不会限制期望的指令的边界；他可以能跳向感兴趣的指令的中间使CPU解释指令作为其他的用途。继续上面的例子，调向mov指令的第二个字节，结果会导致一个inc指令

1:  44                  inc esp
2:  33 22               xor esp,DWORD PTR [edx]
4:  11 35 11 22 33 44   adc DWORD PTR ds:0x44332211,esi
a:  35 11 22 33 44      xor eax,0x44332211