Conversation

When using out-of-process JIT (As in Edge), the JIT code is RO in JIT process. Thus, CFI hashes compared on fwd-edges and the compare itself are in RO mem. i.e. XFG/RAP fwd-edges still work. Same is true for RAP backward-edges (ret hashes and compares are in RO memory as-well).

Halvar Flake

@halvarflake

Jun 17, 2020

Replying to

@Liran_Alon

@grsecurity

and 3 others

I was not talking about writing to +x pages. If any +X address space is ever reused -> break.

Replying to

Right. So can you elaborate why would attacker's arbitrary read/write break RAP's CFI? Shadow-stack should also always remain read-only. In RFG it was only hidden but still writable which lead it indeed to be not effective, but this isn't true for CET-like shadow-stack.

Replying to

Arbitrary RW means I can have a callchain that goes from C++FuncA -> JITedCodeB -> C++FuncC, and I can then make the JIT engine garbage-collect JITedCodeB and put different code there. Not violating any CFI constraints, but executing arbitrary code.

Replying to

In short: CFI is bunk in an environment with a JIT that ever reuses +x address space.

Replying to

Oh cool. You are right. I haven't thought about that attack. Thanks! :)

Replying to

Now that Edge is based on Chromium, it also doesn't have that feature anymore. You can pass `--js-flags=--jitless` to Chromium (or Edge) to disable the JIT to only use the interpreter. It's compatible with ACG, PaX MPROTECT, SELinux !execmem, etc. Still, there's an interpreter...

Replying to

Consider a Python application. If an attacker has arbitrary write, they can make the interpreter run their own bytecode. In that case, the bytecode is fully trusted. Even if a JavaScript interpreter doesn't directly trust the bytecode it generated, an attacker can mess with it.

12:42 PM · Jun 17, 2020Twitter Web App

Replying to

That was one of my pet peeves with out-of-process-JIT'ing -- the only "safe" API to do that is pass the unparsed JS text.