Arm and Equinix Metal have partnered to make powerful Neoverse based Armv8 bare metal infrastructure including latest generation Ampere systems — available for open source software developers to build, test and optimize for Arm64 architecture.
Hardening the Firefox JIT with online checking and translation validation
We are building a checking and validation framework for the Firefox just-in-time (JIT) compiler that can be used to catch security bugs at runtime and during testing. We are implementing several checkers---from register allocation and LICM validation, to a Spectre-mask checker, to codegen invariant validation. The last one, the codegen validator, is for the JIT's ARM backend: This checker will catch any violations of ISA invariants (e.g., register assignments when emitting strex instructions that was previously buggy). To (hopefully) catch some of these bugs early we would like to run the Fuzzilli JIT fuzzer on an ARM machine with out validators enabled.
Which members of the community would benefit from your work?
Firefox users on ARM will directly benefit from any bugs we find and report. Firefox users, more broadly, will benefit from the validation framework: Our checkers can be used to find bugs in Firefox and, moreover, prevent these bugs from being exploited during browsing.
Researchers will benefit from the techniques we develop, including the ARM instruction invariants we extracted from the specification.
Is the code that you’re going to run 100% open source? If so, what is the URL or URLs where it is located?
Short term ARM server for fuzzing would be fantastic. Both c1.large.arm and c2. large.arm are perfect (with slight preference for 96 cores, but happy either way).
Describe the continuous integration (CI) system in use or desired for this project.
None.
Please state your contributions to the open source community and any other relevant initiatives
We are a group of academics working on browser security (among other things). Related to this project, we developed a sandboxing framework called RLBox that was recently integrated into Firefox, a bug finding tool that found roughly 40 confirmed bugs in Chrome and Firefox (four CVEs and this bug), a JIT verification framework that identified a JIT bug in Firefox that was lurking around for over 5 years, and a framework for mitigating timing channels in Firefox called FuzzyFox.
vielmetti
commented
4 years ago
Name, email, company, job title
This project is a research collaboration between Stanford, UC San Diego, and UT Austin with guidance from folks at Mozilla.
Project Title and description
Hardening the Firefox JIT with online checking and translation validation
We are building a checking and validation framework for the Firefox just-in-time (JIT) compiler that can be used to catch security bugs at runtime and during testing. We are implementing several checkers---from register allocation and LICM validation, to a Spectre-mask checker, to codegen invariant validation. The last one, the codegen validator, is for the JIT's ARM backend: This checker will catch any violations of ISA invariants (e.g., register assignments when emitting
strexinstructions that was previously buggy). To (hopefully) catch some of these bugs early we would like to run the Fuzzilli JIT fuzzer on an ARM machine with out validators enabled.Which members of the community would benefit from your work?
Firefox users on ARM will directly benefit from any bugs we find and report. Firefox users, more broadly, will benefit from the validation framework: Our checkers can be used to find bugs in Firefox and, moreover, prevent these bugs from being exploited during browsing.
Researchers will benefit from the techniques we develop, including the ARM instruction invariants we extracted from the specification.
Is the code that you’re going to run 100% open source? If so, what is the URL or URLs where it is located?
What infrastructure (computing resources and network access) do you need? (see: https://www.packet.net/bare-metal/)?
Short term ARM server for fuzzing would be fantastic. Both c1.large.arm and c2. large.arm are perfect (with slight preference for 96 cores, but happy either way).
Describe the continuous integration (CI) system in use or desired for this project.
None.
Please state your contributions to the open source community and any other relevant initiatives
We are a group of academics working on browser security (among other things). Related to this project, we developed a sandboxing framework called RLBox that was recently integrated into Firefox, a bug finding tool that found roughly 40 confirmed bugs in Chrome and Firefox (four CVEs and this bug), a JIT verification framework that identified a JIT bug in Firefox that was lurking around for over 5 years, and a framework for mitigating timing channels in Firefox called FuzzyFox.