Code-reuse attacks have the capability to craft malicious instructions from small code fragments, commonly referred to as “gadgets.” These gadgets are generated by JIT (Just-In-Time) engines as integral components of native instructions, with the flexibility to be embedded in various fields, including Displacement. In this article, we introduce a novel approach for potential gadget insertion, achieved through the manipulation of ModR/M and SIB bytes via JavaScript code. This manipulation influences a JIT engine’s register allocation and code generation algorithms. These newly generated gadgets do not rely on constants and thus evade existing constant blinding schemes. Furthermore, they can be combined with 1-byte constants, a combination that proves to be challenging to defend against using conventional constant blinding techniques. To showcase the feasibility of our approach, we provide proof-of-concept (POC) code for three distinct types of gadgets. Our research underscores the potential for attackers to exploit ModR/M and SIB bytes within JIT-generated native instructions. In response, we propose a practical defense mechanism to mitigate such attacks. We introduce JiuJITsu, a security-enhanced register allocation scheme designed to prevent harmful register assignments during the JIT code generation phase, thereby thwarting the generation of these malicious gadgets. We conduct a comprehensive analysis of JiuJITsu’s effectiveness in defending against code-reuse attacks. Our findings demonstrate that it incurs a runtime overhead of under 1% when evaluated using JetStream2 benchmarks and real-world websites.

代码重用攻击能够利用小代码片段（通常称为“小工具”）制作恶意指令。这些小工具由 JIT（即时）引擎生成，作为本机指令的组成部分，可以灵活地嵌入到包括位移在内的各个领域。在本文中，我们介绍了一种用于潜在小工具插入的新颖方法，该方法是通过 JavaScript 代码操作 ModR/M 和 SIB 字节来实现的。这种操作会影响 JIT 引擎的寄存器分配和代码生成算法。这些新生成的小工具不依赖于常量，因此规避了现有的常量致盲方案。此外，它们可以与 1 字节常量组合，事实证明，这种组合对于使用传统的常量致盲技术进行防御具有挑战性。为了展示我们方法的可行性，我们为三种不同类型的小工具提供了概念验证 (POC) 代码。我们的研究强调了攻击者利用 JIT 生成的本机指令中的 ModR/M 和 SIB 字节的可能性。作为回应，我们提出了一种实用的防御机制来减轻此类攻击。我们引入了 JiuJITsu，这是一种安全增强型寄存器分配方案，旨在防止 JIT 代码生成阶段发生有害的寄存器分配，从而阻止这些恶意小工具的生成。我们对 JiuJITsu 在防御代码重用攻击方面的有效性进行了全面分析。我们的研究结果表明，使用 JetStream2 基准测试和真实网站进行评估时，它产生的运行时开销低于 1%。