Researcher Releases More Details on JIT-Spraying
- Friday, February 5, 2010, 12:30
- Threat Research
Dion Blazakis provided me with a formal paper on the techniques he revealed yesterday to bypass ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) in Windows.
The technique is highly customized to Adobe's ActionScript and customized to the implementation details of the Flash environment and some characteristics of Windows memory allocation. Stated broadly, the attack uses a series of Flash SWF files to create data structures in memory containing binary code, uses the script interpreter and JIT to "spray" it to areas of memory, infers the actual addresses of the structures, then invokes some exploit to transfer control of execution to the address of the sprayed code.
The JIT is a just-in-time compiler that translates ActionScript code to binary executable code rather than interpreting it live. The term "spraying" comes from the related "heap spray" technique popular in web-based exploits. DEP prevents executable code from running in data areas of memory, and ASLR makes it more difficult for attackers to predict locations of code in memory by randomizing the layouts.
DEP is not a problem in this attack because the JIT marks the pages as executable before executing them. ASLR is not a problem because the code
Continue reading...