Explore the concept of JIT Leaks in this 17-minute IEEE conference talk. Delve into how just-in-time (JIT) compilation, essential for runtime performance in modern interpreted languages, can introduce timing side channels when input distribution is non-uniform. Learn about three attack models for harnessing these side channels and five vulnerability templates for detecting susceptible code fragments and predicates. Discover profiling algorithms designed to generate statistical information crucial for accurate attacker inference. Examine the systematic evaluation of JIT-based side channels in Java and JavaScript standard libraries using Oracle HotSpot Java Virtual Machine and Google V8 JavaScript engine. Investigate real-world examples of JIT-based side channels in the Apache Shiro security framework and GraphHopper route planning server, demonstrating their observability over the public Internet.
Overview
Syllabus
JIT Leaks: Inducing Timing Side Channels through Just-In-Time Compilation
Taught by
IEEE Symposium on Security and Privacy