Exploiting and Protecting Dynamic Code Generation
Chengyu Song , Chao Zhang , Tielei Wang , Wenke Lee , David Melski .
Many mechanisms have been proposed and de- ployed to prevent exploits against software vulnerabilities. Among them, W⊕X is one of the most effective and efficient. W⊕X prevents memory pages from being simultaneously writable and executable, rendering the decades old shellcode injection technique infeasible.
In this paper, we demonstrate that the traditional shellcode injection attack can be revived through a code cache injection technique. Specifically, dynamic code generation, a technique widely used in just-in-time (JIT) compilation and dynamic binary translation (DBT), generates and modifies code on the fly in order to promote performance or security. The dynamically generated code fragments are stored in a code cache, which is writable and executable either at the same time or alternately, resulting in an opportunity for exploitation. This threat is especially realistic when the generated code is multi-threaded, because switching between writable and executable leaves a time window for exploitation. To illustrate this threat, we have crafted a proof- of-concept exploit against modern browsers that support Web Workers.