New Trends in Browser Exploitation: Attacking Client-Side JIT Compilers

Conference:  BlackHat USA 2018



The talk explores the security implications of just-in-time compilers for JavaScript in web browsers, which are becoming an increasingly attractive target for attackers due to their complexity and potential vulnerabilities.
  • JavaScript engines consist of a parser, interpreter/JIT compiler, runtime, and garbage collector
  • JIT compilers are built into JavaScript engines to optimize performance by converting JavaScript code into machine code at runtime
  • JIT compilers have a large attack surface and vulnerabilities found in them are often easily exploitable
  • A specific JIT compiler vulnerability in WebKit was used to successfully exploit Safari on macOS in Pwn2Own 2018
  • The performance versus security trade-off in JIT compilers favors performance, making them a future-proof target for attackers
The speaker discusses a specific JIT compiler vulnerability in WebKit that was used to exploit Safari on macOS in Pwn2Own 2018. The vulnerability was easily exploitable and yielded a near 100% reliable exploit that completed within a few milliseconds.


As finding reliably exploitable vulnerabilities in web browser engines becomes gradually harder, attackers turn to previously less explored areas of the code. One of these seems especially interesting: just-in-time (JIT) compilers built into the JavaScript engines to maximize their performance by turning JavaScript code into optimized machine code at runtime. With commonly multiple tiers of JIT compilers (speak multiple different compilers) and an excessive focus on performance at the cost of added complexity, they are an attractive target for security researchers. Furthermore, the bugs found in them often turn out to be easily and reliably exploitable. Last but not least, JIT compilers appear to be "future proof" targets as their prevalence (and complexity) will likely continue to grow in the future. This talk will explore the inner workings of JIT compilers for the JavaScript language with a focus on security relevant aspects. First, the challenges faced by such compilers as well as the common solutions implemented by the most prominent engines will be described. Afterwards, the attack surface of client-side JIT compilers will be explored together with a discussion of the rather unique vulnerabilities frequently found in them. Finally, a specific, but fairly typical JIT compiler vulnerability will be presented, along with the process of its discovery. This vulnerability was used in Pwn2Own 2018 to successfully exploit Safari on macOS. A brief walkthrough of its exploitation, yielding a near 100% reliable exploit that completes within a few milliseconds, will conclude this talk.



Post a comment

Related work

Conference:  Black Hat Asia
Authors: Zong Cao, Zheng Wang, Yeqi Fu, Fangming Gu, Bohan Liu

Conference:  Defcon 31
Authors: David Leadbeater Open Source Engineer, G-Research