Comment Re:Apple (Score 1) 52
No, PC browsers (with the possible exception of Safari?) don't do anything nearly so braindead, nor do any of the other kinds of PC software that use a JIT (a few examples: Java,
In fact, browsers (IE and Chrome at a minimum, probably others) and Flashplayer take things a step further. Since you can generate a huge number of almost-entirely-attacker-controlled instructions by doing operation that will compile down as arithmetic on immediate values (constants), and since x86 (and, to a lesser extent, many ARM systems courtesy of THUMB-2 mode) allows code to be interpreted as a completely different instruction sequence if you enter the binary stream in the middle of an instruction, one technique for getting executable-mapped shellcode into a browser is to have a script that does a ton of arithmetic on carefully chosen constants. Therefore, the above-mentioned JITs (IE, Chrome, Flashplayer, maybe others) use a technique called "constant blinding" where every constant operation is actually emitted as two instructions: a masked constant getting XORed with its mask value to produce the expected constant (in a register), and then an operation on that value. No long sequence of known instructions with attacker-controlled immediates means no way to predict the result of entering an instruction stream at an offset.
If Safari on iOS really is so stupid as to have R/W/X pages just because of its JIT, Apple has fucked up colossally.