Code reuse attacks allow an adversary to impose malicious behavior on an otherwise benign program. To mitigate such attacks, a common approach is to disguise the address or content of code snippets by means of randomization or rewrit- ing, leaving the adversary with no choice but guessing. How- ever, disclosure attacks allow an adversary to scan a process— even remotely—and enable her to read executable memory on-the-fly, thereby allowing the just-in-time assembly of ex- ploits on the target site. In this paper, we propose an approach that fundamentally thwarts the root cause of memory disclosure exploits by pre- venting the inadvertent reading of code while the code itself can still be executed. We introduce a new primitive we call Execute-no-Read (XnR) which ensures that code can still be executed by the processor, but at the same time code cannot be read as data. This ultimately forfeits the self-disassembly which is necessary for just-in-time code reuse attacks (JIT- ROP) to work. To the best of our knowledge, XnR is the first approach to prevent memory disclosure attacks of exe- cutable code and JIT-ROP attacks in general. Despite the lack of hardware support for XnR in contemporary Intel x86 and ARM processors, our software emulations for Linux and Windows have a run-time overhead of only 2.2% and 3.4%, respectively.
Proceedings of the 21st ACM conference on Computer and Communications Security (ACM CCS '14)
2014-11-01
2019-07-18 12:10:26