**CSE 291: JIT Security**
This is an advanced topics graduate course on secure browser just-in-time (JIT)
compilers. The goal of the class is to understand how modern JITs are designed
and implemented, how attackers are exploiting bugs in JITs, and how to design
more secure---even formally verified---JIT compilers. We will read research
papers spanning systems security, programming languages, and formal methods. We
will also read articles from the non-academic hacking community and parts of
the Firefox, Chromium, and Safari codebases. Finally, we will work on an
original research project spanning JIT attacks and defenses.
: Tue and Thu, 2:00--3:20pm in CSE 4258 (or Zoom)
: **Instructor**: Deian Stefan
: **Teaching Assistant**: Matthew Kolosick
: **Deian**: Monday, 2:00--3:00pm, or by appointment
: **Matthew**: By appointment
: See Canvas.
: We'll use the CSE slack channel `jit-security-class-22`
Calendar and Readings
Tue Jan 4 2022: Course intro
Thu Jan 6 2022: SpiderMonkey intro
- [OR'LYEH? The Shadow over Firefox](http://www.phrack.org/issues/69/14.html) by argp
- [Introduction to SpiderMonkey exploitation](https://doar-e.github.io/blog/2018/11/19/introduction-to-spidermonkey-exploitation/) by 0vercl0k
- *See also*:
- [A journey into IonMonkey: root-causing CVE-2019-9810](https://doar-e.github.io/blog/2019/06/17/a-journey-into-ionmonkey-root-causing-cve-2019-9810/) by 0vercl0k
Tue Jan 11 2022: V8 intro
- [Zero day Initiative posts on V8](https://www.zerodayinitiative.com/blog?tag=V8)
Thu Jan 13 2022: JIT verification
- *Read*: [Formally Verified Speculation and Deoptimization in a JIT Compiler](https://cseweb.ucsd.edu/~dstefan/cse291-spring21/papers/barriere:jit.pdf) by A. Barriere et al.
Tue Jan 18 2022: JIT verification
Thu Jan 20 2022: In-class project planning (+JSCore intro)
- *Read offline*:
- [New Series: Getting Into Browser Exploitation](https://liveoverflow.com/getting-into-browser-exploitation-new-series-introduction-browser-0x00/)
Tue Jan 25 2022: JIT verification
- *Read*: [Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel](https://unsat.cs.washington.edu/papers/nelson-jitterbug.pdf) by L. Nelson et al.
Thu Jan 27 2022: Locking down the engine
Tue Feb 1 2022: Translation validation
- [Доверя́й, но проверя́й: SFI safety for native-compiled Wasm](https://cseweb.ucsd.edu/~dstefan/pubs/johnson:2021:veriwasm.pdf) by E. Johnson et al.
- [V8 Sandbox](https://docs.google.com/document/d/1FM4fQmIhEqPG8uGp5o9A-mnPB5BOeScZYpkHjo0KKA8/edit) by saelo@
Thu Feb 3 2022: Translation validation
- [Alive2: Bounded Translation Validation for LLVM](https://www.cs.utah.edu/~regehr/alive2-pldi21.pdf) by N. Lopes et al.
- [Just-in-time checking for just-in-time compiler](https://cseweb.ucsd.edu/~dstefan/noindex/proton.pdf) by F. Brown et al.
Tue Feb 8 2022: Translation validation (cont) + Project updates
- *Present*: Preliminary results from your project
Tue Feb 10 2022: Locking down the JIT (+ project updates)
- [RockJIT: Securing Just-In-Time Compilation Using Modular Control-Flow Integrity](papers/niu:rockjit.pdf) by B. Niu and G. Tan
- [Language-independent sandboxing of just-in-time compilation and self-modifying code](papers/ansel:lang.pdf) by J. Ansel et al.
Thu Feb 15 2022: Interpreter verification
- *Read*: [Jitk: A Trustworthy In-Kernel Interpreter Infrastructure](https://people.csail.mit.edu/nickolai/papers/wang-jitk.pdf) by X. Wang et al.
Tue Feb 17 2022: Definitional interprets
- [Intrinsically-Typed Definitional Interpreters for Imperative Languages](https://dl.acm.org/doi/pdf/10.1145/3158104) by C. B. Poulsen et al.
Tue Feb 22 2022: Fuzzing
- [Fuzzing with Code Fragments](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final73.pdf) by C. Holler et al.
Thu Feb 24 2022: Fuzzing
Tue Mar 1 2022: Garbage collection
- [Cross-component garbage collection](https://dl.acm.org/doi/abs/10.1145/3276521) by U. Degengaev et al.
Tue Mar 3 2022: Superoptimization
- [Stochastic Superoptimization](https://dl.acm.org/doi/pdf/10.1145/2490301.2451150) by E. Schkufza et al.
- [Superoptimizer: a look at the smallest program](https://dl.acm.org/doi/abs/10.1145/36177.36194) by A. Massalin
The primary goal of this course is to prepare to you to do research, the
evaluation for this course is simple: (1) class participation and (2) research
project and presentation.
You are expected to read the assigned paper(s) before each meeting. In class we
will discuss the interesting parts of the paper(s). You are expected to do any
background reading on your own and come prepared with questions and an
evaluation of the paper. The PhD students in the class are also expected to
lead one discussion section.
Research project (60%) + presentation (10%)
You will work on projects in groups of 2-3. The goal of the project is to
conduct original research in JIT security. You are encouraged to come up with
your own project idea, but we have a few ideas that are well-scoped for a
At the end of the quarter, you are expected to turn in a short research paper
(6-10 pages) and give a 15 minute talk. We will have periodic status updates to
help you stay on track.