SoK: Make JIT-Spray Great Again


Robert Gawlik and Thorsten Holz, Ruhr-Universität Bochum


Since the end of the 20th century, it has become clear that web browsers will play a crucial role in accessing Internet resources such as the World Wide Web. They evolved into complex software suites that are able to process a multitude of data formats. Just-In-Time (JIT) compilation was incorporated to speed up the execution of script code, but is also used besides web browsers for performance reasons. Attackers happily welcomed JIT in their own way, and until today, JIT compilers are an important target of various attacks. This includes for example JIT-Spray, JIT-based code-reuse attacks and JIT-specific flaws to cir- cumvent mitigation techniques in order to simplify the exploitation of memory-corruption vulnerabilities. Fur- thermore, JIT compilers are complex and provide a large attack surface, which is visible in the steady stream of critical bugs appearing in them. In this paper, we survey and systematize the jungle of JIT compilers of major (client-side) programs, and pro- vide a categorization of offensive techniques for abusing JIT compilation. Thereby, we present techniques used in academic as well as in non-academic works which try to break various defenses against memory-corruption vul- nerabilities. Additionally, we discuss what mitigations arouse to harden JIT compilers to impede exploitation by skilled attackers wanting to abuse Just-In-Time compilers.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {220582,
author = {Robert Gawlik and Thorsten Holz},
title = {{SoK}: Make {JIT-Spray} Great Again},
booktitle = {12th USENIX Workshop on Offensive Technologies (WOOT 18)},
year = {2018},
address = {Baltimore, MD},
url = {},
publisher = {USENIX Association},
month = aug,