David Herman wrote:
Patrick Walton send me this link to a fascinating approach to exploiting weak
references in engines using conservative stack scanning to discover the address
of objects:
https://github.com/justdionysus/gcwoah
I don't fully grok all the details, but IIUC the attacker sprays the heap with
objects that it holds weak references to, synthesizes a fake reference as an
integer, triggers a conservative GC, and then uses the state of the weak
references to figure out which object lived at that address. As a concrete
example of how this can be used to do bad things: in conjunction with an
exploit that allows jumping to an arbitrary memory location, this would
effectively enable arbitrary code execution.
Dion did the JITSpray paper at BlackHat 2010:
One immediate takeaway: Mark deserves serious kudos, because Dionysus was not
able to figure out how to use this attack on WeakMaps. He explicitly mentions
the work on WeakMaps and credits them for having been well designed for
security. Well done!
Yes, and somehow Andreas Gal and Andrew McCreight's impl in SpiderMonkey
/ Firefox resisted Dion's hashtable-growth timing channel attack. Double
kudos, even if luck!
(This needs more investigation, though.)
But we need to take this into account as we consider what to do about weak
references in ES7.
Definitely.
/be
_______________________________________________
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss