JITBULL: Securing JavaScript Runtime with a Go/No-Go Policy for JIT Engine

Nowadays, most services are delivered through the web and thus heavily rely on JavaScript (JS). To accommodate the need for more performance, JS runtimes integrated Just-In-Time (JIT) compilation engines, which compile frequently-called portions of code for faster execution. To produce efficient mac...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Proceedings - International Conference on Dependable Systems and Networks S. 156 - 168
Hauptverfasser: Decourcelle, Jean-Baptiste, Teabe, Boris, Hagimont, Daniel
Format: Tagungsbericht
Sprache:Englisch
Veröffentlicht: IEEE 24.06.2024
Schlagworte:
Benchmark testing
Browsers
Codes
Engines
JIT
JS runtime
Optimization
Runtime
Security
Vulnerability window
ISSN:2158-3927
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Nowadays, most services are delivered through the web and thus heavily rely on JavaScript (JS). To accommodate the need for more performance, JS runtimes integrated Just-In-Time (JIT) compilation engines, which compile frequently-called portions of code for faster execution. To produce efficient machine code, the JIT applies complex optimization passes on the code in question. However, inadequate modeling of the side effects of these optimizations can introduce vulnerabilities in certain optimization passes. Such vulnerabilities are regularly discovered, and often have a high impact. Once a vulnerability is identified, it is eventually patched, but not without involving several steps (development, testing, release, user consent), leaving the system vulnerable for a relatively long period: the vulnerability window. We propose JITBULL, a solution that secures the JIT engines of JS runtimes during the vulnerability window by leveraging a vulnerability's demonstrator codes. To that end, JITBULL extracts the effects of JIT compiler optimization passes on said vulnerability demonstrator codes. For every subsequent JITed code, JITBULL compares the effects of its optimization passes with those on the demonstrator codes. If similarities are detected, JITBULL assumes that the currently executing script may be malicious and disables the related optimization passes, or if that's not possible, the whole JIT engine. We implemented JITBULL in Firefox's JS runtime (SpiderMonkey) and tested it against several known vulnerabilities with public demonstrator codes. Our results demonstrate that JITBULL consistently safeguards the JIT engine against exploitation by a variant of a known vulnerability. Moreover, we show that JITBULL exhibits a false positive rate of less than 5 % on the JS Octane benchmark suite, while causing an acceptable overhead of less than 20 %.
ISSN:2158-3927
DOI:10.1109/DSN58291.2024.00028