Presentation Material
Abstract
Code disclosure-guided ROP such as Just-in-time (JIT) ROP and Hacking Blind is popular because of its convenience and robust changes to binary layout. Its increasing popularity leads to several lines of research on the defensive side. Among them, eXecutable-Only Memory (XOM) is one of the most sought-after features, since code read capability is eliminated. XOM could be achieved efficiently in different ways with hardware assist, such as using CPUs that have single layer split-cache (ITLB and DTLB) architecture, using CPUs with Extended Page Table (EPT). However, neither of the techniques are easily deployable for end users, since they have limited control over the target systems. For instance, although modern CPU models still have split-cache architecture, it has been added with an extra layer of unified TLB. Thus, OS will not get information of ITLB miss or DTLB miss. Without that, it is impossible to know whether a page fault is due to code read or instruction fetch. On the other hand, since EPT is managed by hypervisor, it may not be accessible or controllable by end users, especially in cloud. Thus, it is unlikely that end users could use EPT to enforce XOM. By contrast, Memory Protection Keys for Userspace (PKU) is a user-level feature that allows executable pages to be inaccessible from data accesses, without prevention of its execution. PKU has been enabled since Linux kernel 4.9 with the support of XOM; however, there is no end-to-end enabling for applications due the absence of runtime support.
In this talk, we present XOM-switch, a security tool that allows end users to enable XOM on their deployed Linux applications using PKU, a CPU feature that will be widely available in PC market. In our approach, we provide an end-to-end enabling for applications in Linux without source code or heavyweight binary rewriting. We will present the entire pipeline of XOM enabling process in details with all secret sauces to overcome challenges in ELF binaries.
XOM-switch will be demonstrated, showing that it works on real-world, large and complex programs (executables and all dependent libraries) correctly, with almost no performance overhead. XOM-switch will be released with every tool that we have built - including the original source code and the related test data - to enable researchers to replicate the research and to help developers quickly turn on these features without refactoring their code.
AI Generated Summarymay contain errors
The speaker is discussing a lightweight approach to defense against code reuse attacks, which involves instrumenting the program loader and optionally, the dynamic linker. This approach uses Intel’s Control-flow Enforcement Technology (CET) and randomized memory layout to prevent attackers from knowing the exact locations of writable and executable pages.
The evaluation shows that this approach incurs minimal overhead, with a 7% increase in code size and a 0.9% increase in runtime performance. The speaker also mentions that they have tested this approach on large binaries such as Firefox and LibreOffice, and it has been effective in reducing the attack surface.
One of the key benefits of this approach is that it can defeat just-in-time code reuse attacks and blind ROP attacks. In a just-in-time code reuse attack, an attacker tries to use malicious JavaScript to read code pages, but with this approach, those code pages are not accessible. In a blind ROP attack, an attacker tries to steal gadgets from the kernel, but this approach prevents them from accessing user-level pages marked with protection keys.
The speaker also mentions that the implementation is open-source and available on GitHub, and provides a simple command-line interface for patching binaries and launching programs with executable-only security permissions.