JIT Spraying Never Dies - Bypass CFG By Leveraging WARP Shader JIT Spraying

Many scripting languages, such as JavaScript and ActionScript, use Just-In-Time (JIT) compilation to improve the script execution performance. However, under some circumstances, the legit JIT mechanism can be leveraged by the exploit to bypass memory protection and mitigation such as ASLR and DEP. Such exploitation technique was first introduced as "JIT Spraying" in 2010. The idea is to use the constant numeric value in high-level script language to generate the desired JITedcode at predictable locations. With the JIT spraying as a reliable exploitation technique seeing its popularity, vendors started to revisit the JIT engine implementation. Since then, mitigation countermeasures, such as randomizing the JIT code page allocation and mutating JITedcode generation, have been employed to prevent JIT spraying. Particularly, MS WARP ShaderJIT engine, which we will exploit in this talk, has security mechanisms such as Shader complexity, JIT cache size limit, separation between the constant data and code. As a result, the JIT spraying technique became less effective in most exploitation scenarios. Nevertheless, JIT Spraying technique has never died, even in the most secure Windows 10 era. In this talk, we will present a completely different JIT spraying exploitation technique (based on MS WARP JIT) to bypass control flow guard (CFG) in the context of browser in a generic way. This presentation provides details on how to circumvent the MS WARP JIT restrictions and achieve reliable CFG bypass. At the end, a live demo will be given to demonstrate bypassing CFG on IE11 and Edge of Windows 10.