This post reminded me of a 2009 #bluehat story (follows in this thread). We were talking to security researchers about attacks on browsers.
JITing JavaScript was a new thing at the time and we had not shipped it yet in #Chakra. In talking to visiting researchers at bluehat…
…we asked if they knew of any new browser attacks. One replied, “sure, just write an exploit that calls a function with a lot of parameters”
I had no idea what that meant or how it could help exploitation. So I went to @epakskape with this obscure clue.
He looked up and thought for a minute and said, “oh yeah. Ok”. He had figured it out.
@epakskape went on to explain that in JS, if you call a function like func(0xAAAAAAAA, 0xBBBBBBBB, ...), this is emitted as machine code:
PUSH 0xAAAAAAAA
PUSH 0xBBBBBBBB
…[many sequences follow]
CALL DWORD PTR[…]
This means the attacker can create JavaScript that will result in machine code where they control 80% of the executable code.
A clever spray and returning into this unaligned would lead to a DEP bypass.
When we shipped JITting in Chakra, we had constant blinding, random NOP insertion, and random function alignment as mitigations.
Without the collaboration that happens at #bluehat, we may not have had these defenses worked out in time for Chakra.
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.