Towards a Verified Range Analysis for Javascript Jits
Towards a Verified Range Analysis for JavaScript JITs Fraser Brown John Renner Andres Nötzli Stanford, USA UC San Diego, USA Stanford, USA Sorin Lerner Hovav Shacham Deian Stefan UC San Diego, USA UT Austin, USA UC San Diego, USA Abstract Earlier this year, Google’s Threat Analysis Group identi- We present VeRA, a system for verifying the range analysis fied websites, apparently aimed at people “born in a certain pass in browser just-in-time (JIT) compilers. Browser devel- geographic region” and “part of a certain ethnic group,” that opers write range analysis routines in a subset of C++, and would install a malicious spyware implant on any iPhone verification developers write infrastructure to verify custom used to visit them. Two bugs exploited in this campaign, analysis properties. Then, VeRA automatically verifies the according to analysis by Google’s Project Zero [41, 68], were range analysis routines, which browser developers can in- in the JIT component of Safari’s JavaScript engine [5, 34]. tegrate directly into the JIT. We use VeRA to translate and The JavaScript JITs shipped in modern browsers are ma- verify Firefox range analysis routines, and it detects a new, ture, sophisticated systems developed by compilers experts. confirmed bug that has existed in the browser for six years. Yet bugs in JIT compilers have emerged in recent months as the single largest threat to Web platform security, and the CCS Concepts: • Security and privacy ! Browser se- most dangerous attack surface of Web-connected devices. curity; • Software and its engineering ! Just-in-time Unlike other compilers, browser JITs are exposed to adver- compilers; Software verification and validation; Domain sarial program input.
[Show full text]