**CSE 291: JIT Security** [*Deian Stefan*](https://cseweb.ucsd.edu/~dstefan/) About ============================================================== This is an advanced topics graduate course on secure browser just-in-time (JIT) compilers. The goal of the class is to understand how modern JITs are designed and implemented, how attackers are exploiting bugs in JITs, and how to design more secure---even formally verified---JIT compilers. We will read research papers spanning systems security, programming languages, and formal methods. We will also read articles from the non-academic hacking community and parts of the Firefox, Chromium, and Safari codebases. Finally, we will work on an original research project spanning JIT attacks and defenses. Lectures: : Tue and Thu, 2:00--3:20pm in CSE 4258 (or Zoom) Staff: : **Instructor**: Deian Stefan : **Teaching Assistant**: Matthew Kolosick Office hours: : **Deian**: Monday, 2:00--3:00pm, or by appointment : **Matthew**: By appointment Zoom information: : See Canvas. Class discussion: : We'll use the CSE slack channel `jit-security-class-22` Calendar and Readings ============================================================== Tue Jan 4 2022: Course intro Thu Jan 6 2022: SpiderMonkey intro - *Read*: - [OR'LYEH? The Shadow over Firefox](http://www.phrack.org/issues/69/14.html) by argp - [Introduction to SpiderMonkey exploitation](https://doar-e.github.io/blog/2018/11/19/introduction-to-spidermonkey-exploitation/) by 0vercl0k - *See also*: - [A journey into IonMonkey: root-causing CVE-2019-9810](https://doar-e.github.io/blog/2019/06/17/a-journey-into-ionmonkey-root-causing-cve-2019-9810/) by 0vercl0k Tue Jan 11 2022: V8 intro - *Read*: - [Compile Your Own Type Confusions: Exploiting Logic Bugs in JavaScript JIT Engines](http://www.phrack.org/issues/70/9.html#article) by saelo@ - [Zero day Initiative posts on V8](https://www.zerodayinitiative.com/blog?tag=V8) Thu Jan 13 2022: JIT verification - *Read*: [Formally Verified Speculation and Deoptimization in a JIT Compiler](https://cseweb.ucsd.edu/~dstefan/cse291-spring21/papers/barriere:jit.pdf) by A. Barriere et al. Tue Jan 18 2022: JIT verification - *Read*: [Towards a verified range analysis for JavaScript JITs](https://cseweb.ucsd.edu/~dstefan/pubs/brown:2020:vera.pdf) by F. Brown et al. Thu Jan 20 2022: In-class project planning (+JSCore intro) - *Read offline*: - [Attacking JavaScript Engines: A case study of JavaScriptCore and CVE-2016-4622](http://www.phrack.org/issues/70/3.html#article) by saelo@ - [New Series: Getting Into Browser Exploitation](https://liveoverflow.com/getting-into-browser-exploitation-new-series-introduction-browser-0x00/) Tue Jan 25 2022: JIT verification - *Read*: [Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel](https://unsat.cs.washington.edu/papers/nelson-jitterbug.pdf) by L. Nelson et al. Thu Jan 27 2022: Locking down the engine - *Read*: [NoJITsu: Locking Down JavaScript Engines](https://cseweb.ucsd.edu/~dstefan/cse291-spring21/papers/park:nojitsu.pdf) by T. Park et al. Tue Feb 1 2022: Translation validation - *Read*: - [Доверя́й, но проверя́й: SFI safety for native-compiled Wasm](https://cseweb.ucsd.edu/~dstefan/pubs/johnson:2021:veriwasm.pdf) by E. Johnson et al. - [V8 Sandbox](https://docs.google.com/document/d/1FM4fQmIhEqPG8uGp5o9A-mnPB5BOeScZYpkHjo0KKA8/edit) by saelo@ Thu Feb 3 2022: Translation validation - *Read*: - [Alive2: Bounded Translation Validation for LLVM](https://www.cs.utah.edu/~regehr/alive2-pldi21.pdf) by N. Lopes et al. - [Just-in-time checking for just-in-time compiler](https://cseweb.ucsd.edu/~dstefan/noindex/proton.pdf) by F. Brown et al. Tue Feb 8 2022: Translation validation (cont) + Project updates - *Present*: Preliminary results from your project Tue Feb 10 2022: Locking down the JIT (+ project updates) - *Read*: - [RockJIT: Securing Just-In-Time Compilation Using Modular Control-Flow Integrity](papers/niu:rockjit.pdf) by B. Niu and G. Tan - [Language-independent sandboxing of just-in-time compilation and self-modifying code](papers/ansel:lang.pdf) by J. Ansel et al. Thu Feb 15 2022: Interpreter verification - *Read*: [Jitk: A Trustworthy In-Kernel Interpreter Infrastructure](https://people.csail.mit.edu/nickolai/papers/wang-jitk.pdf) by X. Wang et al. Tue Feb 17 2022: Definitional interprets - *Read*: - [Intrinsically-Typed Definitional Interpreters for Imperative Languages](https://dl.acm.org/doi/pdf/10.1145/3158104) by C. B. Poulsen et al. Tue Feb 22 2022: Fuzzing - *Read*: - [Fuzzing with Code Fragments](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final73.pdf) by C. Holler et al. Thu Feb 24 2022: Fuzzing - *Read*: - [CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines](papers/han:codealchemist.pdf) by H. Han et al. Tue Mar 1 2022: Garbage collection - *Read*: - [Cross-component garbage collection](https://dl.acm.org/doi/abs/10.1145/3276521) by U. Degengaev et al. Tue Mar 3 2022: Superoptimization - *Read*: - [Stochastic Superoptimization](https://dl.acm.org/doi/pdf/10.1145/2490301.2451150) by E. Schkufza et al. - [Superoptimizer: a look at the smallest program](https://dl.acm.org/doi/abs/10.1145/36177.36194) by A. Massalin Evaluation ============================================================== The primary goal of this course is to prepare to you to do research, the evaluation for this course is simple: (1) class participation and (2) research project and presentation. Participation (30%) -------------------------------------------------------------- You are expected to read the assigned paper(s) before each meeting. In class we will discuss the interesting parts of the paper(s). You are expected to do any background reading on your own and come prepared with questions and an evaluation of the paper. The PhD students in the class are also expected to lead one discussion section. Research project (60%) + presentation (10%) -------------------------------------------------------------- You will work on projects in groups of 2-3. The goal of the project is to conduct original research in JIT security. You are encouraged to come up with your own project idea, but we have a few ideas that are well-scoped for a quarter project. At the end of the quarter, you are expected to turn in a short research paper (6-10 pages) and give a 15 minute talk. We will have periodic status updates to help you stay on track.