XOM-switch: Hiding Your Code from Advanced Code Reuse Attacks In One Shot

Presented at Black Hat Asia 2018, March 22, 2018, 10:15 a.m. (60 minutes)

Code disclosure-guided ROP such as Just-in-time (JIT) ROP and Hacking Blind is popular because of its convenience and robust changes to binary layout. Its increasing popularity leads to several lines of research on the defensive side. Among them, eXecutable-Only Memory (XOM) is one of the most sought-after features, since code read capability is eliminated. XOM could be achieved efficiently in different ways with hardware assist, such as using CPUs that have single layer split-cache (ITLB and DTLB) architecture, using CPUs with Extended Page Table (EPT). However, neither of the techniques are easily deployable for end users, since they have limited control over the target systems. For instance, although modern CPU models still have split-cache architecture, it has been added with an extra layer of unified TLB. Thus, OS will not get information of ITLB miss or DTLB miss. Without that, it is impossible to know whether a page fault is due to code read or instruction fetch. On the other hand, since EPT is managed by hypervisor, it may not be accessible or controllable by end users, especially in cloud. Thus, it is unlikely that end users could use EPT to enforce XOM. By contrast, Memory Protection Keys for Userspace (PKU) is a user-level feature that allows executable pages to be inaccessible from data accesses, without prevention of its execution. PKU has been enabled since Linux kernel 4.9 with the support of XOM; however, there is no end-to-end enabling for applications due the absence of runtime support.

In this talk, we present XOM-switch, a security tool that allows end users to enable XOM on their deployed Linux applications using PKU, a CPU feature that will be widely available in PC market. In our approach, we provide an end-to-end enabling for applications in Linux without source code or heavyweight binary rewriting. We will present the entire pipeline of XOM enabling process in details with all secret sauces to overcome challenges in ELF binaries.

XOM-switch will be demonstrated, showing that it works on real-world, large and complex programs (executables and all dependent libraries) correctly, with almost no performance overhead. XOM-switch will be released with every tool that we have built - including the original source code and the related test data - to enable researchers to replicate the research and to help developers quickly turn on these features without refactoring their code.

Presenters:

• Ravi Sahita - Principal Engineer, Intel
  Ravi Sahita is a principal engineer in Intel Labs. He is experienced in computer security, virtualization, systems software and computer networking; design and development of systems and application software, novel cpu instruction-set extensions, hypervisors, network stacks and developing inter-operable standards; defining novel platform architecture to create innovative solutions; working with cross-group teams, developing modular, scalable software to create quality products; delivering quality software licensed to partner software companies; workload and performance analysis to define hardware approaches for computer security at the processor, chipset and device level. He has in-depth work experience with hardware virtualization, and implementation of core modules for multiple virtual machine monitors. He is an articulate speaker and technical writer with 50+ patents.
• Mingwei Zhang - Research Scientist, Intel
  Mingwei Zhang is currently a research scientist in Anti-Malware Team in Intel Labs. His current research areas span across program hardening using Intel hardware features, anti-malware techniques and dynamic sandbox for Android. Mingwei received his Ph.D of computer science from Stony Brook University in 2015. His research in the Ph.D program was focused on software security protection via binary rewriting and program analysis. His paper "Control Flow Integrity for COTS Binaries" received best paper award by USENIX Security 2013. In addition, he has several other papers published in ACSAC ('15, '17), VEE ('14), IEEE CloudCom ('15) and IEEE/IFIP DSN ('17). He currently has 1 patent granted plus 5 pending. His recent work on dynamic android malware sandbox was mentioned by "AVPASS" published in BlackHat 2017.
• Daiping Liu - Research Assistant, University of Delaware
  Daiping Liu is a Ph.D. student in the Department of Computer Engineering at University of Delaware; his advisor is Dr. Haining Wang. Before joining the University of Delaware with his advisor in Fall 2014, Daiping was a Ph.D. candidate in Computer Science at College of William and Mary. He received a M.S. in Computer Science from Stony Brook University, and a B.Eng. in Computer Science from Wuhan University. His research interests include security, networking, mobile systems and OS. Daiping's work aims to improve the security and performance of computer systems and software through both empirical measurement study and the design of new systems.

Links:

• https://www.blackhat.com/asia-18/briefings/schedule/#xom-switch-hiding-your-code-from-advanced-code-reuse-attacks-in-one-shot-9232
• https://www.youtube.com/watch?v=6S51wOd44yc
• https://www.youtube.com/watch?v=TqrYanDM9to

Similar Presentations:

• HOPE 2020 Virtual Rescheduled / Beyond End-to-End
• Still Hacking Anyway (SHA2017) / Olmogo - because it's your data!: A cryptographically secure social network platform
• Black Hat USA 2016 / Using Undocumented CPU Behavior to See into Kernel Mode and Break KASLR in the Process