XOM-SWITCH: HIDING YOUR CODE FROM ADVANCED CODE REUSE ATTACKS IN ONE SHOT
Research Scientist
Intel Labs
COM2 Level 4
Executive Classroom, COM2-04-02
Abstract:
Code disclosure-guided ROP such as Just-in-time (JIT) ROP and Hacking Blind is popular because of its convenience and robust changes to binary layout. Its increasing popularity leads to several lines of research on the defensive side. Among them, eXecutable-Only Memory (XOM) is one of the most sought-after features, since code read capability is eliminated. XOM could be achieved efficiently in different ways with hardware assist, such as using CPUs that have single layer split-cache (ITLB and DTLB) architecture, using CPUs with Extended Page Table (EPT). However, neither of the techniques are easily deployable for end users, since they have limited control over the target systems. For instance, although modern CPU models still have split-cache architecture, it has been added with an extra layer of unified TLB. Thus, OS will not get information of ITLB miss or DTLB miss. Without that, it is impossible to know whether a page fault is due to code read or instruction fetch. On the other hand, since EPT is managed by hypervisor, it may not be accessible or controllable by end users, especially in cloud. Thus, it is unlikely that end users could use EPT to enforce XOM. By contrast, Memory Protection Keys for Userspace (PKU) is a user-level feature that allows executable pages to be inaccessible from data accesses, without prevention of its execution. PKU has been enabled since Linux kernel 4.9 with the support of XOM; however, there is no end-to-end enabling for applications due the absence of runtime support.
In this talk, we present XOM-switch, a security tool that allows end users to enable XOM on their deployed Linux applications using PKU, a CPU feature that will be widely available in PC market. In our approach, we provide an end-to-end enabling for applications in Linux without source code or heavyweight binary rewriting. We will present the entire pipeline of XOM enabling process in details with all secret sauces to overcome challenges in ELF binaries.
XOM-switch will be demonstrated, showing that it works on real-world, large and complex programs (executables and all dependent libraries) correctly, with almost no performance overhead. XOM-switch will be released with every tool that we have built - including the original source code and the related test data - to enable researchers to replicate the research and to help developers quickly turn on these features without refactoring their code.
Biodata:
Mingwei Zhang is currently a research scientist in anti-malware and intelligence team in Intel Labs. His current research areas span a wide range of program hardening using Intel hardware features, anti-malware techniques and dynamic sandbox for Android with machine learning. Mingwei received his Ph.D of computer science from Stony Brook University in 2015. His research in the Ph.D program was focused on software security protection via binary rewriting and program analysis. His paper "Control Flow Integrity for COTS Binaries" received best paper award by USENIX Security 2013. In addition, he has several other papers published in ACSAC ('15, '17), VEE ('14), IEEE CloudCom ('15) and IEEE/IFIP DSN ('17). He currently has 1 patent granted plus 6 pending in Intel. In addition, he has one presentation accepted in BlackHat Asia 2018 and contributed to the work of dynamic android malware sandbox which was mentioned by "AVPASS" in BlackHat 2017.