Author(s): Ben Niu, Gang Tan

Download: Paper (PDF)

Date: 27 Jul 2015

Document Type: Briefing Papers

Associated Event: NDSS Symposium 2015


The JIT-ROP attack is an advanced ROP attack form targeting modern web browsers. It uses JavaScript to dynamically read code pages, harvest ROP gadgets, and compile the attack payload using these gadgets. To the best of our knowledge, there is no known defense against JIT-ROP.

We present an approach dubbed Chobham to taming JIT-ROP. Considering the entire browser as a JIT compiler, Chobham adopts RockJIT to secure the browser’s code and the JITcompiled code. Since RockJIT enforces fine-grained control-flow integrity, it makes chaining ROP gadgets significantly hard. Then, three additional methods are proposed to further secure the web browser. First, Chobham deploys input-triggered CFG generation to further improve the precision of the enforced CFG. Second, Chobham randomizes the order of callee-saved registers in function epilogues at load time, which makes it hard for attackers to reliably control registers using call-preceded gadgets. Third, Chobham allocates a dedicated heap zone for all sensitive C++ and JavaScript objects (e.g., DOM nodes), and sanitizes such objects’ data access methods to ensure their accesses fall in the heap zone. The code and stack are never in the heap zone to prevent the JavaScript code from reading code pages.