Abstract:—Many mechanisms have been proposed and de-ployed to prevent exploits against software vulnerabilities. Amongthem, W X is one of the most effective and efﬁcient. W Xprevents memory pages from being simultaneously writableand executable, rendering the decades old shellcode injectiontechnique infeasible.In this paper, we demonstrate that the traditional shellcodeinjection attack can be revived through a code cache injectiontechnique. Speciﬁcally, dynamic code generation, a techniquewidely used in just-in-time (JIT) compilation and dynamic binarytranslation (DBT), generates and modiﬁes code on the ﬂy in orderto promote performance or security. The dynamically generatedcode fragments are stored in a code cache, which is writableand executable either at the same time or alternately, resultingin an opportunity for exploitation. This threat is especiallyrealistic when the generated code is multi-threaded, becauseswitching between writable and executable leaves a time windowfor exploitation. To illustrate this threat, we have crafted a proof-of-concept exploit against modern browsers that support WebWorkers.To mitigate this code cache injection threat, we propose anew dynamic code generation architecture. This new architecturerelocates the dynamic code generator to a separate process,in which the code cache is writable. In the original processwhere the generated code executes, the code cache remains read-only. The code cache is synchronized across the writing processand the execution process through shared memory. Interactionbetween the code generator and the generated code is handledtransparently through remote procedure calls (RPC). We haveported the Google V8 JavaScript engine and the Strata DBTto this new architecture. Our implementation experience showedthat the engineering effort for porting to this new architectureis minimal. Evaluation of our prototype implementation showedthat this new architecture can defeat the code cache injectionattack with small performance overhead.

Exploiting and Protecting Dynamic Code Generation.

WarpAttack: Bypassing CFI through Compiler-Introduced Double-Fetches

Secure Dynamic Code Generation Against Spraying

Runtime Code Reuse Attacks: A Dynamic Framework Bypassing Fine-Grained Address Space Layout Randomization.

Instantly Obsoleting the Address-code Associations: A New Principle for Defending Advanced Code Reuse Attack

INSeRT: Protect Dynamic Code Generation Against Spraying

De-randomizing the Code Segment with Timing Function Attack

ROPocop - Dynamic Mitigation of Code-Reuse Attacks

SpectreRewind: Leaking Secrets to Past Instructions

RIM: A Method to Defend from JIT Spraying Attack

SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks

Webc: Toward A Portable Framework for Deploying Legacy Code in Web Browsers

A Disguised Wolf Is More Harmful Than a Toothless Tiger: Adaptive Malicious Code Injection Backdoor Attack Leveraging User Behavior as Triggers

Steroids for DOPed Applications: A Compiler for Automated Data-Oriented Programming

What You See is Not What You Get! Thwarting Just-in-Time ROP with Chameleon

JITScope: Protecting Web Users from Control-Flow Hijacking Attacks

Revery

Prime+Probe 1, JavaScript 0: Overcoming Browser-based Side-Channel Defenses

Breaking and Fixing Destructive Code Read Defenses

JITSafe: a Framework Against Just-in-time Spraying Attacks

Spinner: Automated Dynamic Command Subsystem Perturbation