Using the JIT Vulnerability to Pwn Microsoft Edge presented at BlackHatAsia2019 2019

by Zhenhuan Li, Shenrong Liu,

Summary : To speed up the javascript code, the modern browser introduces the Just-In-Time(JIT) compiler to javascript engine, which is also used by the Microsoft Edge javascript engine chakra. Because the javascript is a dynamic, untyped language before JIT compiling, the engine will collect the type information (called profile data) when the interpreter is executed the bytecode. The JIT engine will then do a great deal of optimization during compilation. Implementing a JIT compiler is a complex project, using the profile data to further optimize increases this complexity, which may lead to vulnerability in the implementation.This topic contains the following sections:First, we will introduce the chakra JIT engine architecture, detailing the optimization in the compiler each phase.Second, we will put forth the attack surface in the JIT compiler. To speed up the code run, JIT compiler will do a lot of optimization in each phase. When the optimization is implemented incorrectly, it may lead to a vulnerability.Third, focus on some interesting vulnerabilities which were found according to the attack surface. We’ll also look into the mitigation Microsoft has introduced into chakra engine in order to address the special type JIT vulnerabilities.Fourth, we will give a full exploit demo (may be 0day vulnerability) to describe how to write an exploit from vulnerability to arbitrary code execution in the latest windows 10 x64 platform. We will give two methods to bypass Control Flow Guard(CFG), explaining how to construct ROP gadgets on the windows 10 x64 platform.