Thinking Outside the JIT Compiler: Understanding and Bypassing StructureID Randomization with Generic and Old-School Methods

In the last two years, lots of JIT compiler bugs have been found in the major browsers. For Safari, the most common way of exploiting a JIT bug in the JavaScriptCore engine is to construct the addrOf/fakeObj primitives[1]. And with those primitives, the arbitrary Read/Write ability can be easily gained. Specifically, it's indispensable that an attacker needs a valid Structure ID to fake a JSCELL during exploitation. So the well-known technique - spraying the Structures to predict the IDs is introduced in 2016[2]. In the early of this year, WebKit introduces the StructureID Randomization mitigation[3]. And recently it has been enabled in the latest official release of *OS(i.e. iOS 12.4). So predicting the Structure ID by spraying can't work anymore.In this talk, we will detail our new and generic methods to bypass StructureID Randomization mitigation, which allows an attacker to construct the addrOf/fakeObj primitives and gain the arbitrary Read/Write ability smoothly. Unlike the bug-specific and JIT compiler related way to bypass this mitigation[4], our generic and old-school methods have not been thoroughly presented in any previous talks. We believe our talk will inspire the design of more effective mitigations.References:[1] https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf[2] http://www.phrack.org/papers/attacking_javascript_engines.html[3] https://github.com/WebKit/webkit/commit/f19aec9c6319a216f336aacd1f5cc75abba49cdf[4] http://iokit.racing/jsctales.pdf