you can run but you can’t read: preventing disclosure exploits in executable code

You Can Run but You Can’t ReadPreventing Disclosure Exploits in Executable Code

CCS’14

Background• Buffer overflows, dangling pointers , memory corruption

vulnerabilities

• Defences&Attacks • DEP/W^X —> ROP

• ASLR (coarse grained) —> Memory disclosure+Memory corruption

• ASLR (fine-grained) —> JIT-code reuse

• XnR • Memory(code pages): eXecutable , but non-Readable

JIT-Code Reuse• JIT-Code Reuse

• A attack framework under script environment

• Client-side online attack

• JIT-code reuse workflow

• Harvest Code Pages

• Discovery Gadgets and API

• Just In Time CompilationK. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, et.al. “Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization,” in 2013 IEEE Symposium on Security and Privacy (SP), 2013, pp. 574–588.

Preventing Disclosure Exploits• Motivion

• As soon as a process tries to read its own code as data, XnR considers this illegal behavior.

• Prevents the first necessary step of disclosure vulnerability

• Adversary’s Threat Model • Userland process contains memory corruption vulnerability

• Process contains at least one memory disclosure vulnerability

• Adversary controls the input of all communication channels

• Assumption: • XnR runs on W^X and fine-grained ASLR ready OS.

The XnR Primitive• Emulating XnR in Software

• Current hardware don not support eXecutable,but non-Readable • Memory permission only allow to toggle the ability to Write to

memory or the ability to eXecute the memory, where executable permissions imply read permissions.

• Challenge • Detect read attempts isn’t supported by MMU. • Distinguish memory access between legitimate access to data and

read attempts to code

The XnR Primitive• Emulating XnR in Software• Solutions

• Set page non-present, let modified page fault handler check the violation condition.

• Three types of memory operation to be distinguished

The XnR Primitive• Sliding Window

• Pages should be marked non-present till another page is accessed.

• The number of most recent accessed present pages that are waiting to be marked non-present.

• Keeps the last recently used n pages while setting all the others to non-present.

• A trade-off between performance and security:n=3

Implementation• One General Concept

• Using hardware page faults to emulate an XnR hardware feature.

• Two Mainstream OS

• Windows: closed source, not friendly to conduct fundamental modification(Memory Management)

• Linux: Open source

Implementation• Linux

• Windows

• Insert custom page fault handler into Windows Kernel’s IDT

• check procedure: the same

Evaluation• Precision and effectiveness

• Detection of exploits

• netcat, manually introduce MemoryDisclosure and MemoryCorruption vulnerabilities

• Legitimate code reads

• found that both common Linux programs and standard Windows DLL functions attempted to read code during normal program execution.

• Linux:Header of ELF(data) resides in .text segment

• Code reads on Windows: data in text segment

Evaluation• Performance—Overhead on Linux

Evaluation• Performance—Overhead on Windows

Evaluation• Performance

• Time of handling page fault and page fault numbers

Conclusion

• Propose a novel technique(XnR) to detect memory disclosure exploits

• Implement XnR in software

you can run but you can’t read: preventing disclosure exploits in executable code

Software

jitcode reuse jitcode

time code reuse

executable code ccs14

memory access

xnr primitive emulating

page nonpresent

nonreadable memory permission

attack framework