
Understanding JIT spray - mbrubeck
http://blog.cdleary.com/2011/08/understanding-jit-spray/
======
yan
Great article! Chris Rohlf and myself gave a talk on attacking JIT engines at
BlackHat earlier this year[1]. We covered JIT sprays and mitigating against
them fairly thoroughly (not this thoroughly, but our goals were a bit
different :)).

Check it out if you're into this.

[1] <http://www.matasano.com/research/jit/>

------
akkartik
The section on staged shellcode payloads reminded me of bombers, replicators,
and scanners in corewars (<http://en.wikipedia.org/wiki/Core_War#Strategy>)

------
wingo
Excellent article. Looking forward to the next one!

------
ldar15
RISC processors with fixed instruction sizes and enforced 4-byte instruction
alignment, are looking even saner than they did before I read this.

~~~
burgerbrain
You think RISC sounds like a good idea now.. wait until you read about
"return-oriented programming" with variable length instructions!

<http://cseweb.ucsd.edu/~hovav/talks/blackhat08.html>

The short story: arbitrary computation by finding 'ret's wit short sequences
of useful code before them. Finding them in _your_ code, and they need not
actually be 'ret's thanks for the same reason this stuff works.

~~~
yan
ROP does not need a variable-length instruction set. ROP is a common
exploitation method for iDevices...

~~~
burgerbrain
Correct, it just makes it a hell of a lot more wicked.

