From:  Yuan Pinghai <>
Date:  22 Mar 2017 12:07:40 Hong Kong Time

How to implement the security scheme that prevents the RET instructions from being misused


Hi all,

On the purpose of defending against JIT-ROP attacks, I am trying to
implement a scheme that prevents the RET instructions from being misused.
This scheme XORs and de-XORs the return address with a randomly selected
value (I name it cookie) when entering a piece of JITCODE and right before
executing RET instructions to exit, respectively. Because, on some
circumstances (e.g. when bailing-out from ion into baseline), the
spidermonkey engine needs the original return-address for iterating over
JIT-frames, so i need to store the cookie.

In my current design, the cookie is stored in a new field (named
retCookie_) of JitCode, and each JITCODE (representing an instance of
JitCode) has its own cookie. In this way, when i need the original
return-address, i can recover it by first getting the JITCODE and then
fetching the cookie. Now, my problem is how can i get the correct JITCODE
with an address (e.g. the interrupted address before bailing-out)? Is there
a function like the find_vma, which is a kernel function that retrieves the
VMA instance according to a virtual address.

I tried to find an answer by digging into the codebase. I found that the
BaselineScript has a member function named containsCodeAddress, but i don't
think it is what i want. Also, I viewed the code of JITCODE allocator, but
failed to find such an interface function. After the failures, i tried to
protect only the RET instructions emitted by baseline compiler, with
attempts to  stores the cookie in the BaselineScript instance, or in the
frame descriptor. Sadly,  all failed:(

Could some body give me a tip? Any suggestions are welcome. I appreciate
for the help!
By the way, i am working on Spidermonkey 45. By honest, i don't think i
have enough knowledge on fixing the bailing-out and exception handling
mechanisms, i also need suggestions on them.

Thank you.