Visible to the public No-Execute-After-Read: Preventing Code Disclosure in Commodity Software

TitleNo-Execute-After-Read: Preventing Code Disclosure in Commodity Software
Publication TypeConference Paper
Year of Publication2016
AuthorsWerner, Jan, Baltas, George, Dallara, Rob, Otterness, Nathan, Snow, Kevin Z., Monrose, Fabian, Polychronakis, Michalis
Conference NameProceedings of the 11th ACM on Asia Conference on Computer and Communications Security
Date PublishedMay 2016
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-4233-9
Keywordsbrowser security, code reuse attack, composability, fine grained randomization, import address table, JIT ROP, memory disclosure, memory disclosure attack, memory protection key, Metrics, non-executable memory, pubcrawl, Resiliency, return oriented programming, rop attacks, Scalability, windows operating systems security
Abstract

Memory disclosure vulnerabilities enable an adversary to successfully mount arbitrary code execution attacks against applications via so-called just-in-time code reuse attacks, even when those applications are fortified with fine-grained address space layout randomization. This attack paradigm requires the adversary to first read the contents of randomized application code, then construct a code reuse payload using that knowledge. In this paper, we show that the recently proposed Execute-no-Read (XnR) technique fails to prevent just-in-time code reuse attacks. Next, we introduce the design and implementation of a novel memory permission primitive, dubbed No-Execute-After-Read (near), that foregoes the problems of XnR and provides strong security guarantees against just-in-time attacks in commodity binaries. Specifically, near allows all code to be disclosed, but prevents any disclosed code from subsequently being executed, thus thwarting just-in-time code reuse. At the same time, commodity binaries with mixed code and data regions still operate correctly, as legitimate data is still readable. To demonstrate the practicality and portability of our approach we implemented prototypes for both Linux and Android on the ARMv8 architecture, as well as a prototype that protects unmodified Microsoft Windows executables and dynamically linked libraries. In addition, our evaluation on the SPEC2006 benchmark demonstrates that our prototype has negligible runtime overhead, making it suitable for practical deployment.

URLhttps://dl.acm.org/doi/10.1145/2897845.2897891
DOI10.1145/2897845.2897891
Citation Keywerner_no-execute-after-read:_2016