Randomization can’t stop BPF JIT spray

Elena Reshetova*, Filippo Bonazzi, N. Asokan

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionScientificpeer-review

1 Citation (Scopus)


The Linux kernel Berkeley Packet Filter (BPF) and its Just-In-Time (JIT) compiler are actively used in various pieces of networking equipment where filtering speed is especially important. In 2012, the Linux BPF/JIT compiler was shown to be vulnerable to a JIT spray attack; fixes were quickly merged into the Linux kernel in order to stop the attack. In this paper we show two modifications of the original attack which still succeed on a modern 4.4 Linux kernel, and demonstrate that JIT spray is still a major problem for the Linux BPF/JIT compiler. This work helped to make the case for further and proper countermeasures to the attack, which have then been merged into the 4.7 Linux kernel.

Original languageEnglish
Title of host publicationNetwork and System Security - 11th International Conference, NSS 2017, Proceedings
Number of pages15
Volume10394 LNCS
ISBN (Print)9783319647005
Publication statusPublished - 2017
MoE publication typeA4 Article in a conference publication
EventInternational Conference on Network and System Security - Helsinki, Helsinki, Finland
Duration: 21 Aug 201723 Aug 2017
Conference number: 11

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10394 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


ConferenceInternational Conference on Network and System Security
Abbreviated titleNSS


  • Berkeley Packet Filter
  • JIT spray
  • Network security


Dive into the research topics of 'Randomization can’t stop BPF JIT spray'. Together they form a unique fingerprint.

Cite this