Skip to main content
SpringerLink
Log in

Randomization Can’t Stop BPF JIT Spray

  • Conference paper
  • First Online:
Network and System Security (NSS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10394))

Included in the following conference series:

Abstract

The Linux kernel Berkeley Packet Filter (BPF) and its Just-In-Time (JIT) compiler are actively used in various pieces of networking equipment where filtering speed is especially important. In 2012, the Linux BPF/JIT compiler was shown to be vulnerable to a JIT spray attack; fixes were quickly merged into the Linux kernel in order to stop the attack. In this paper we show two modifications of the original attack which still succeed on a modern 4.4 Linux kernel, and demonstrate that JIT spray is still a major problem for the Linux BPF/JIT compiler. This work helped to make the case for further and proper countermeasures to the attack, which have then been merged into the 4.7 Linux kernel.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    kernsec.org/wiki/index.php/Kernel_Self_Protection_Project.

  2. 2.

    github.com/kmcallister/alameda.

  3. 3.

    www.kernel.org/doc/Documentation/x86/x86_64/mm.txt.

  4. 4.

    grsecurity.net.

  5. 5.

    git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4f3446b.

  6. 6.

    patchwork.ozlabs.org/patch/622075/.

  7. 7.

    git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=712f4aa.

  8. 8.

    ssg.aalto.fi/projects/kernel-hardening.

References

  1. A detailed description of the Data Execution Prevention (DEP) feature (2016). support.microsoft.com/en-us/kb/875352

  2. Intel\(\textregistered \) 64 and IA-32 Architectures Software Developer’s Manual (2016). www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-manual-325462.pdf

  3. SECure COMPuting with filters (2016). www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt

  4. Athanasakis, M., et al.: The Devil is in the Constants: Bypassing Defenses in Browser JIT Engines. In: NDSS (2015)

    Google Scholar 

  5. Bania, P.: JIT spraying and mitigations. arXiv preprint (2010). arXiv:1009.1038

  6. Blazakis, D.: Interpreter Exploitation: Pointer Inference and JIT Spraying (2016). www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf

  7. Borkmann, D.: On getting tc classifier fully programmable with cls_bpf (2016). www.netdevconf.org/1.1/proceedings/papers/On-getting-tc-classifier-fully-programmable-with-cls-bpf.pdf

  8. Chen, P., Fang, Y., Mao, B., Xie, L.: JITDefender: a defense against JIT spraying attacks. In: IFIP, pp. 142–153 (2011)

    Google Scholar 

  9. Cook, C.: Status of the Kernel Self Protection Project (2016). outflux.net/slides/2016/lss/kspp.pdf

  10. Corbet, J.: A JIT for packet filters (2012). lwn.net/Articles/437981

  11. Corbet, J.: The kernel connection multiplexer (2015). lwn.net/Articles/657999/

  12. Edge, J.: “Strong” stack protection for GCC (2014). lwn.net/Articles/584225/

  13. Gorman, M.: Understanding the Linux virtual memory manager (2004)

    Google Scholar 

  14. Homescu, A., Brunthaler, S., Larsen, P., Franz, M.: Librando: transparent code randomization for just-in-time compilers. In: CCS, pp. 993–1004 (2013)

    Google Scholar 

  15. Jang, Y., Lee, S., Ki, T.: Breaking Kernel Address Space Layout Randomization with Intel TSX. In: CCS, pp. 380–392 (2016)

    Google Scholar 

  16. Jangda, A., Mishra, M., Baudry, B.: libmask: protecting browser JIT engines from the devil in the constants. In: PST (2016)

    Google Scholar 

  17. McAllister, K.: Attacking hardened Linux systems with kernel JIT spraying (2012). mainisusuallyafunction.blogspot.de/2012/11/attacking-hardened-linux-systems-with.html

  18. McCanne, S., Jacobson, V.: The BSD packet filter: a new architecture for user-level packet capture. In: USENIX Winter, vol. 46 (1993)

    Google Scholar 

  19. Mogul, J.: Efficient use of workstations for passive monitoring of local area networks, vol. 20. ACM (1990)

    Google Scholar 

  20. Mogul, J., Rashid, R., Accetta, M.: The packer filter: an efficient mechanism for user-level network code, vol. 21. ACM (1987)

    Google Scholar 

  21. Schulist, J., et al.: Linux Socket Filtering aka Berkeley Packet Filter (BPF) (2016). www.kernel.org/doc/Documentation/networking/filter.txt

  22. Song, C., Zhang, C., Wang, T., Lee, W., Melski, D.: Exploiting and Protecting Dynamic Code Generation. In: NDSS (2015)

    Google Scholar 

  23. Starovoitov, A.: Tracing: attach eBPF programs to kprobes (2015). lwn.net/Articles/636976/

  24. PaX Team: PaX address space layout randomization (ASLR) (2003)

    Google Scholar 

Download references

Acknowledgments

The authors would like to thank Daniel Borkmann for his helpful discussions about BPF/JIT, and his readiness and enthusiasms to make it more secure.

Author information

Authors and Affiliations

  1. Intel OTC, Espoo, Finland

    Elena Reshetova

  2. Aalto University, Helsinki, Finland

    Filippo Bonazzi & N. Asokan

  3. University of Helsinki, Helsinki, Finland

    N. Asokan

Authors
  1. Elena Reshetova
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Filippo Bonazzi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. N. Asokan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Elena Reshetova .

Editor information

Editors and Affiliations

  1. Xidian University, Xi’an, China

    Zheng Yan

  2. Eurecom, Sophia Antipolos, Valbonne, France

    Refik Molva

  3. Warsaw University of Technology, Warsaw, Poland

    Wojciech Mazurczyk

  4. Aalto University, Espoo, Finland

    Raimo Kantola

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Reshetova, E., Bonazzi, F., Asokan, N. (2017). Randomization Can’t Stop BPF JIT Spray. In: Yan, Z., Molva, R., Mazurczyk, W., Kantola, R. (eds) Network and System Security. NSS 2017. Lecture Notes in Computer Science(), vol 10394. Springer, Cham. https://doi.org/10.1007/978-3-319-64701-2_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-64701-2_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-64700-5

  • Online ISBN: 978-3-319-64701-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation