Code disclosure-guided ROP such as Just-in-time (JIT) ROP and Hacking Blind is popular because of its convenience and robust changes to binary layout. Its increasing popularity leads to several lines of research on the defensive side. Among them, eXecutable-Only Memory (XOM) is one of the most sought-after features, since code read capability is eliminated. XOM could be achieved efficiently in different ways with hardware assist, such as using CPUs that have single layer split-cache (ITLB and DTLB) architecture, using CPUs with Extended Page Table (EPT). However, neither of the techniques are easily deployable for end users, since they have limited control over the target systems. For instance, although modern CPU models still have split-cache architecture, it has been added with an extra layer of unified TLB. Thus, OS will not get information of ITLB miss or DTLB miss. Without that, it is impossible to know whether a page fault is due to code read or instruction fetch. On the other hand, since EPT is managed by hypervisor, it may not be accessible or controllable by end users, especially in cloud. Thus, it is unlikely that end users could use EPT to enforce XOM. By contrast, Memory Protection Keys for Userspace (PKU) is a user-level feature that allows executable pages to be inaccessible from data accesses, without prevention of its execution. PKU has been enabled since Linux kernel 4.9 with the support of XOM; however, there is no end-to-end enabling for applications due the absence of runtime support.
In this talk, we present XOM-switch, a security tool that allows end users to enable XOM on their deployed Linux applications using PKU, a CPU feature that will be widely available in PC market. In our approach, we provide an end-to-end enabling for applications in Linux without source code or heavyweight binary rewriting. We will present the entire pipeline of XOM enabling process in details with all secret sauces to overcome challenges in ELF binaries.
XOM-switch will be demonstrated, showing that it works on real-world, large and complex programs (executables and all dependent libraries) correctly, with almost no performance overhead. XOM-switch will be released with every tool that we have built - including the original source code and the related test data - to enable researchers to replicate the research and to help developers quickly turn on these features without refactoring their code.