Check out the new USENIX Web site. next up previous
Next: Overview Up: Technique Previous: Technique

Context

Broadly, this technique can be used to develop client side exploits against web browsers that use JavaScript. In this context, the attacker crafts a web page containing (among other things) JavaScript commands, and induces the victim to browse the page. Using particular JavaScript commands, the attacker influences the state of the heap in the victim's browser process to arrange for a successful attack.

More specifically, the technique is applicable when one has a heap overflow in hand. In what follows, we refer to the buffer that is overflown as the vulnerable buffer. This heap overflow must have the property that both allocation of the vulnerable buffer and the overflow itself must be triggerable within the JavaScript interpreter. In particular, this technique will not apply in situations where the vulnerable buffer has already been allocated before the JavaScript interpreter has been instantiated.

We also assume that shellcode is available and a mechanism for loading it into memory has already been found. This is trivial with JavaScript - just load it into a big string.

Figure 1: Fragmented heap.
[scale=.75]fragmented_heap.eps

Figure 2: Defragmented heap. Future allocations end up adjacent.
[scale=.75]fill_holes.eps

next up previous
Next: Overview Up: Technique Previous: Technique
jake 2008-07-14