JIT Spray
What is JIT Spray?
JIT SprayAn exploit technique that abuses just-in-time compilers to plant attacker-chosen executable bytes inside legitimately generated, executable memory pages.
JIT spray is a memory-corruption exploit technique used against runtimes with just-in-time compilers — JavaScript engines such as V8, SpiderMonkey, and JSC, the .NET CLR, the JVM, ActionScript, or eBPF. The attacker crafts a high-level program whose JIT-compiled output, when viewed as raw bytes, decodes into desired native instructions, allowing payload smuggling into RWX pages produced by the JIT. Combined with a memory-corruption bug that hijacks control flow, the attacker can pivot into the sprayed gadgets, bypassing data-execution protections because the memory is legitimately marked executable. Modern mitigations include constant blinding, randomized code regions, W^X JIT writeable/executable separation, ASLR, and CFI.
● Examples
- 01
Spraying many JavaScript multiplications whose immediate constants embed shellcode bytes.
- 02
Using ActionScript JIT to plant a NOP sled and shellcode inside Flash Player's JIT region.
● Frequently asked questions
What is JIT Spray?
An exploit technique that abuses just-in-time compilers to plant attacker-chosen executable bytes inside legitimately generated, executable memory pages. It belongs to the Application Security category of cybersecurity.
What does JIT Spray mean?
An exploit technique that abuses just-in-time compilers to plant attacker-chosen executable bytes inside legitimately generated, executable memory pages.
How does JIT Spray work?
JIT spray is a memory-corruption exploit technique used against runtimes with just-in-time compilers — JavaScript engines such as V8, SpiderMonkey, and JSC, the .NET CLR, the JVM, ActionScript, or eBPF. The attacker crafts a high-level program whose JIT-compiled output, when viewed as raw bytes, decodes into desired native instructions, allowing payload smuggling into RWX pages produced by the JIT. Combined with a memory-corruption bug that hijacks control flow, the attacker can pivot into the sprayed gadgets, bypassing data-execution protections because the memory is legitimately marked executable. Modern mitigations include constant blinding, randomized code regions, W^X JIT writeable/executable separation, ASLR, and CFI.
How do you defend against JIT Spray?
Defences for JIT Spray typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for JIT Spray?
Common alternative names include: Just-in-time spray.
● Related terms
- appsec№ 1182
Type Confusion Vulnerability
A memory-safety bug where code accesses an object using a type incompatible with its real allocation, often enabling arbitrary read, write, or code execution.
- appsec№ 129
Browser Sandbox
An OS-level isolation layer that confines a browser's renderer and helper processes so that compromised web code cannot read the file system or other applications.
- vulnerabilities№ 1193
Use-After-Free
A memory-safety bug where a program continues to use memory after it has been freed, often allowing attackers to control object state and hijack execution.
- attacks№ 471
Heap Spraying
An exploitation primitive that fills the heap with many copies of a payload so that a corrupted pointer is highly likely to land on attacker-controlled data.
- appsec№ 1075
Speculative Execution Side Channel
A microarchitectural vulnerability class where CPUs leak data through caches and predictors after executing instructions speculatively along paths that should not have run.
- vulnerabilities№ 399
Exploit
A piece of code, data, or technique that takes advantage of a vulnerability to cause unintended behaviour such as code execution, privilege escalation, or information disclosure.