You Can Run but You Can't Read: Preventing Disclosure Exploits in Executable Code

Backes, Michael and Holz, Thorsten and Kollenda, Benjamin and Koppe, Philipp and Nürnberger, Stefan and Pewny, Jannik
(2014) You Can Run but You Can't Read: Preventing Disclosure Exploits in Executable Code.
In: Proceedings of the 21st ACM conference on Computer and Communications Security (ACM CCS '14).
Conference: CCS ACM Conference on Computer and Communications Security

[img]
Preview
 Text
nuernberger2014ccs_disclosure.pdf - Published Version
Download (531kB) | Preview

Abstract

Code reuse attacks allow an adversary to impose malicious behavior on an otherwise benign program. To mitigate such attacks, a common approach is to disguise the address or content of code snippets by means of randomization or rewrit- ing, leaving the adversary with no choice but guessing. How- ever, disclosure attacks allow an adversary to scan a process— even remotely—and enable her to read executable memory on-the-fly, thereby allowing the just-in-time assembly of ex- ploits on the target site. In this paper, we propose an approach that fundamentally thwarts the root cause of memory disclosure exploits by pre- venting the inadvertent reading of code while the code itself can still be executed. We introduce a new primitive we call Execute-no-Read (XnR) which ensures that code can still be executed by the processor, but at the same time code cannot be read as data. This ultimately forfeits the self-disassembly which is necessary for just-in-time code reuse attacks (JIT- ROP) to work. To the best of our knowledge, XnR is the first approach to prevent memory disclosure attacks of exe- cutable code and JIT-ROP attacks in general. Despite the lack of hardware support for XnR in contemporary Intel x86 and ARM processors, our software emulations for Linux and Windows have a run-time overhead of only 2.2% and 3.4%, respectively.

Item Type: Conference or Workshop Item (A Paper) (Paper)
Additional Information: pub_id: 193 Bibtex: nuernberger2014disclosure URL date: None
Uncontrolled Keywords: cispa,group:infsec
Divisions: Michael Backes (InfSec)
Conference: CCS ACM Conference on Computer and Communications Security
Depositing User: Sebastian Weisgerber
Date Deposited: 26 Jul 2017 10:33
Last Modified: 18 Jul 2019 12:10
Primary Research Area: NRA3: Threat Detection and Defenses
URI: https://publications.cispa.saarland/id/eprint/1102

Actions

Actions (login required)

View Item View Item
CISPA is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.