Hi all, On the purpose of defending against JIT-ROP attacks, I am trying to implement a scheme that prevents the RET instructions from being misused. This scheme XORs and de-XORs the return address with a randomly selected value (I name it cookie) when entering a piece of JITCODE and right before executing RET instructions to exit, respectively. Because, on some circumstances (e.g. when bailing-out from ion into baseline), the spidermonkey engine needs the original return-address for iterating over JIT-frames, so i need to store the cookie.
In my current design, the cookie is stored in a new field (named retCookie_) of JitCode, and each JITCODE (representing an instance of JitCode) has its own cookie. In this way, when i need the original return-address, i can recover it by first getting the JITCODE and then fetching the cookie. Now, my problem is how can i get the correct JITCODE with an address (e.g. the interrupted address before bailing-out)? Is there a function like the find_vma, which is a kernel function that retrieves the VMA instance according to a virtual address. I tried to find an answer by digging into the codebase. I found that the BaselineScript has a member function named containsCodeAddress, but i don't think it is what i want. Also, I viewed the code of JITCODE allocator, but failed to find such an interface function. After the failures, i tried to protect only the RET instructions emitted by baseline compiler, with attempts to stores the cookie in the BaselineScript instance, or in the frame descriptor. Sadly, all failed:( Could some body give me a tip? Any suggestions are welcome. I appreciate for the help! By the way, i am working on Spidermonkey 45. By honest, i don't think i have enough knowledge on fixing the bailing-out and exception handling mechanisms, i also need suggestions on them. Thank you. _______________________________________________ dev-tech-js-engine-internals mailing list dev-tech-js-engine-internals@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-js-engine-internals
