Biblio

Memory-corruption vulnerabilities pose a severe threat on modern systems security. Although this problem is known for almost three decades it is unlikely to be solved in the near future because a large amount of modern software is still programmed in unsafe, legacy languages such as C/C++. With new vulnerabilities in popular software discovered almost every day, and with high third party demand for (purchasing) the corresponding exploits, runtime attacks are more prevalent than ever. Even perfect cryptography can easily be undermined by exploiting software vulnerabilities. Typically, one vulnerability in wide-spread software (e.g., Tor Browser) is sufficient for the adversary to compromise all users. Moving target approaches such as software diversity [2] and system randomization techniques [7] are considered to be effective and practical means to strongly reduce the scale of such attacks because ideally, the adversary would require to craft a unique exploit per user. However, recently it was shown that existing software-randomization schemes can be circumvented by practical exploitation techniques such as Just-In-Time Return Oriented Programming (JIT-ROP) that takes advantage of information leakage [1]. The attack demonstrated that even a single disclosed code pointer can be exploited to defeat any (fine-grained) code randomization scheme. Later, it was shown that there are various sources of information leakage that can be exploited such as virtual function pointers [4]. JIT-ROP motivated a number of subsequent works to prevent the adversary from reading code such as Readactor [3,5], or ASLR Guard [8]. For instance, Readactor and its successor Readactor++ [3,5] use various techniques to prevent direct and indirect code disclosure, which seems to be non-trivial in general [6]. The arms race will continue.

Memory disclosure vulnerabilities enable an adversary to successfully mount arbitrary code execution attacks against applications via so-called just-in-time code reuse attacks, even when those applications are fortified with fine-grained address space layout randomization. This attack paradigm requires the adversary to first read the contents of randomized application code, then construct a code reuse payload using that knowledge. In this paper, we show that the recently proposed Execute-no-Read (XnR) technique fails to prevent just-in-time code reuse attacks. Next, we introduce the design and implementation of a novel memory permission primitive, dubbed No-Execute-After-Read (near), that foregoes the problems of XnR and provides strong security guarantees against just-in-time attacks in commodity binaries. Specifically, near allows all code to be disclosed, but prevents any disclosed code from subsequently being executed, thus thwarting just-in-time code reuse. At the same time, commodity binaries with mixed code and data regions still operate correctly, as legitimate data is still readable. To demonstrate the practicality and portability of our approach we implemented prototypes for both Linux and Android on the ARMv8 architecture, as well as a prototype that protects unmodified Microsoft Windows executables and dynamically linked libraries. In addition, our evaluation on the SPEC2006 benchmark demonstrates that our prototype has negligible runtime overhead, making it suitable for practical deployment.