Back to All Events

15:00-16:00 Enlightening the unenlightened: jsASTer

Speaker(s): Shane Macaulay, IOActive

jsASTer is a script host analyzer with a focus on in memory JIT validation. An enlightened script host may operate while system code integrity policies are being enforced due to interoperation with code policies, restricted language modes and so forth. For unenlightened script hosts it may be that they are simply white listed and allowed to JIT code into their address space (e.g. chrome/v8, firefox, llvm/wasm).  Post exploitation, or an evil actor were to inject into the address space of an unenlightened host it may bypass code integrity restrictions depending on the script host and configuration.  We will release an initial version of jsASTer that will analyze emitted JIT code to produce a higher level of trust from these hosts.

Time permitting, a current goal is to represent the various (de)optimization states of JIT binary code, as well as the interpreted versions, of JavaScript in memory, to enhance the efficacy of Fuzzing loops where simple AV/SEGV stack hash/fault monitoring is used to classify ‘results’ from a fuzz test.  It’s our hope that a fast analyzer can identify subtle errors in JIT code generated for different optimization levels or other characteristics than page fault monitoring or binary traces.