**CSE 291: JIT Security** [*Deian Stefan*](https://cseweb.ucsd.edu/~dstefan/) About ============================================================== This is an advanced topics graduate course on secure browser just-in-time (JIT) compilers. The goal of the class is to understand how modern JITs are designed and implemented, how attackers are exploiting bugs in JITs, and how to design more secure---even formally verified---JIT compilers. We will read research papers spanning systems security, programming languages, and formal methods. We will also read articles from the non-academic hacking community and parts of the Firefox, Chromium, and Safari codebases. Finally, we will work on an original research project spanning JIT attacks and defenses. Lectures: : Tue and Thu, 2:00--3:20pm in CSE 4258 (or Zoom) Staff: : **Instructor**: Deian Stefan : **Teaching Assistant**: Matthew Kolosick Office hours: : **Deian**: Monday, 2:00--3:00pm, or by appointment : **Matthew**: By appointment Zoom information: : See Canvas. Class discussion: : We'll use the CSE slack channel `jit-security-class-22` Calendar and Readings ============================================================== Tue Jan 4 2022: Course Intro Thu Jan 6 2022: SpiderMonkey Intro - *Read*: - [OR'LYEH? The Shadow over Firefox](http://www.phrack.org/issues/69/14.html) by argp - [Introduction to SpiderMonkey exploitation](https://doar-e.github.io/blog/2018/11/19/introduction-to-spidermonkey-exploitation/) by 0vercl0k - *See also*: - [A journey into IonMonkey: root-causing CVE-2019-9810](https://doar-e.github.io/blog/2019/06/17/a-journey-into-ionmonkey-root-causing-cve-2019-9810/) by 0vercl0k Tue Jan 11 2022: V8 Intro - *Read*: - [Compile Your Own Type Confusions: Exploiting Logic Bugs in JavaScript JIT Engines](http://www.phrack.org/issues/70/9.html#article) by saelo@ - [Zero day Initiative posts on V8](https://www.zerodayinitiative.com/blog?tag=V8) Thu Jan 13 2022: JIT Verification 1 - *Read*: - [Formally Verified Speculation and Deoptimization in a JIT Compiler](https://cseweb.ucsd.edu/~dstefan/cse291-spring21/papers/barriere:jit.pdf) by A. Barriere et al. Tue Jan 18 2022: JIT Verification 2 - *Read*: - [Towards a verified range analysis for JavaScript JITs](https://cseweb.ucsd.edu/~dstefan/pubs/brown:2020:vera.pdf) by F. Brown et al. Thu Jan 20 2022: No class (but home: JSCore Intro) - *Read*: - [Attacking JavaScript Engines: A case study of JavaScriptCore and CVE-2016-4622](http://www.phrack.org/issues/70/3.html#article) by saelo@ - [New Series: Getting Into Browser Exploitation](https://liveoverflow.com/getting-into-browser-exploitation-new-series-introduction-browser-0x00/) Tue Jan 25 2022: JIT Verification 3 - *Read*: - [Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel](https://unsat.cs.washington.edu/papers/nelson-jitterbug.pdf) by L. Nelson et al. Thu Jan 27 2022: Locking down the engine 1 - *Read*: - [NoJITsu: Locking Down JavaScript Engines](https://cseweb.ucsd.edu/~dstefan/cse291-spring21/papers/park:nojitsu.pdf) by T. Park et al. Tue Feb 8 2022: Locking down the engine 2 - *Read*: - [V8 Sandbox](https://docs.google.com/document/d/1FM4fQmIhEqPG8uGp5o9A-mnPB5BOeScZYpkHjo0KKA8/edit) by saelo@ Evaluation ============================================================== The primary goal of this course is to prepare to you to do research, the evaluation for this course is simple: (1) class participation and (2) research project and presentation. Participation (30%) -------------------------------------------------------------- You are expected to read the assigned paper(s) before each meeting. In class we will discuss the interesting parts of the paper(s). You are expected to do any background reading on your own and come prepared with questions and an evaluation of the paper. The PhD students in the class are also expected to lead one discussion section. Research project (60%) + presentation (10%) -------------------------------------------------------------- You will work on projects in groups of 2-3. The goal of the project is to conduct original research in JIT security. You are encouraged to come up with your own project idea, but we have a few ideas that are well-scoped for a quarter project. At the end of the quarter, you are expected to turn in a short research paper (6-10 pages) and give a 15 minute talk. We will have periodic status updates to help you stay on track.