research-article

You Can Run but You Can't Read: Preventing Disclosure Exploits in Executable Code

Authors:

Michael Backes,

Benjamin Kollenda,

Stefan Nürnberger,

Jannik PewnyAuthors Info & Claims

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Pages 1342 - 1353

https://doi.org/10.1145/2660267.2660378

Published: 03 November 2014 Publication History

Abstract

Code reuse attacks allow an adversary to impose malicious behavior on an otherwise benign program. To mitigate such attacks, a common approach is to disguise the address or content of code snippets by means of randomization or rewriting, leaving the adversary with no choice but guessing. However, disclosure attacks allow an adversary to scan a process - even remotely - and enable her to read executable memory on-the-fly, thereby allowing the just-in time assembly of exploits on the target site. In this paper, we propose an approach that fundamentally thwarts the root cause of memory disclosure exploits by preventing the inadvertent reading of code while the code itself can still be executed. We introduce a new primitive we call Execute-no-Read (XnR) which ensures that code can still be executed by the processor, but at the same time code cannot be read as data. This ultimately forfeits the self-disassembly which is necessary for just-in-time code reuse attacks (JIT-ROP) to work. To the best of our knowledge, XnR is the first approach to prevent memory disclosure attacks of executable code and JIT-ROP attacks in general. Despite the lack of hardware support for XnR in contemporary Intel x86 and ARM processors, our software emulations for Linux and Windows have a run-time overhead of only 2.2% and 3.4%, respectively.

References

[1]

ARM1136JF-S and ARM1136J-S Technical Reference Manual Revision: r1p5, section 6.5.2. ARM Limited.

[2]

BusyBox: The Swiss Army Knife of Embedded Linux. http://www.busybox.net/.

[3]

Cygwin - Posix API and tool collection for Windows. https://www.cygwin.com/.

[4]

Abadi, M., Budiu, M., Erlingsson, U., and Ligatti, J. Control-flow integrity. In ACM Conference on Computer and Communications Security (CCS) (2005), ACM, pp. 340--353.

Digital Library

[5]

Abadi, M., Budiu, M., Erlingsson, U., Necula, G. C., and Vrable, M. XFI: Software Guards for System Address Spaces. In USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2006).

Digital Library

[6]

Akritidis, P., Cadar, C., Raiciu, C., Costa, M., and Castro, M. Preventing Memory Error Exploits with WIT. IEEE Symposium on Security and Privacy (2008).

Digital Library

[7]

Aleph One. Smashing the Stack for Fun and Profit. Phrack Magazine 49, 14 (1996).

[8]

Bhatkar, S., Sekar, R., and DuVarney, D. C. Efficient techniques for comprehensive protection from memory error exploits. In USENIX Security Symposium (2005), USENIX Association.

Digital Library

[9]

Bittau, A., Belay, A., Mashtizadeh, A., MaziAlres, D., and Boneh, D. Hacking Blind. In IEEE Symposium on Security and Privacy (2014).

Digital Library

[10]

Bletsch, T., Jiang, X., Freeh, V. W., and Liang, Z. Jump-oriented Programming: A New Class of Code-reuse Attack. In ACM Symposium on Information, Computer and Communications Security (ASIACCS) (2011).

Digital Library

[11]

blexim. Basic Integer Overflows. Phrack Magazine 60, 10 (2002).

[12]

Buchanan, E., Roemer, R., Shacham, H., and Savage, S. When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC. In ACM Conference on Computer and Communications Security (CCS) (2008).

Digital Library

[13]

Carlini, N., and Wagner, D. ROP is Still Dangerous: Breaking Modern Defenses. In USENIX Security Symposium (2014).

Digital Library

[14]

Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., and Winandy, M. Return-oriented Programming Without Returns. In ACM Conference on Computer and Communications Security (CCS) (2010).

Digital Library

[15]

Cheng, Y., Zhou, Z., Yu, M., Ding, X., and Deng, R. H. ROPecker: A Generic and Practical Approach for Defending Against ROP Attacks. In Symposium on Network and Distributed System Security (NDSS) (2014).

[16]

Davi, L., Dmitrienko, A., Egele, M., Fischer, T., Holz, T., Hund, R., Nurnberger, S., and Sadeghi, A.-R. MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones. In Symposium on Network and Distributed System Security (NDSS) (2012).

[17]

Davi, L., Lehmann, D., Sadeghi, A.-R., and Monrose, F. Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection. In USENIX Security Symposium (2014).

Digital Library

[18]

Davi, L. V., Dmitrienko, A., Nürnberger, S., and Sadeghi, A.-R. Gadge me if you can: Secure and efficient ad-hoc instruction-level randomization for x86 and arm. In 8th ACM SIGSAC symposium on Information, computer and communications security (ACM ASIACCS 2013) (2013), ACM, pp. 299--310.

Digital Library

[19]

Fratric, I. Runtime Prevention of Return-Oriented Programming Attacks. http://ropguard.googlecode.com/svn-history/r2/ trunk/doc/ropguard.pdf.

[20]

gera. Advances in Format String Exploitation. Phrack Magazine 59, 12 (2002).

[21]

Giuffrida, C., Kuijsten, A., and Tanenbaum, A. S. Enhanced operating system security through efficient and fine-grained address space randomization. In Proceedings of the 21st USENIX conference on Security symposium (2012), USENIX Association, pp. 40--40.

Digital Library

[22]

Goktas, E., Athanasopoulos, E., Bos, H., and Portokalidis, G. Out of control: Overcoming control-flow integrity. In IEEE Symposium on Security and Privacy (2014).

Digital Library

[23]

Goktas, E., Athanasopoulos, E., Polychronakis, M., Bos, H., and Portokalidis, G. Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attacks is Hard. In USENIX Security Symposium (2014).

Digital Library

[24]

Hiser, J. D., Nguyen-Tuong, A., Co, M., Hall, M., and Davidson, J. W. ILR: Where'd My Gadgets Go? In IEEE Symposium on Security and Privacy (2012).

Digital Library

[25]

Jajodia, S., Ghosh, A. K., Subrahmanian, V. S., Swarup, V., Wang, C., and Wang, X. S., Eds. Moving Target Defense II - Application of Game Theory and Adversarial Modeling, vol. 100 of Advances in Information Security. Springer, 2013.

Digital Library

[26]

Kil, C., Jun, J., Bookholt, C., Xu, J., and Ning, P. Address space layout permutation (ASLP): Towards fine-grained randomization of commodity software. In Annual Computer Security Applications Conference (ACSAC) (2006).

Digital Library

[27]

Krahmer, S. x86--64 Buffer Overflow Exploits and the Borrowed Code Chunks Exploitation Technique. http://users.suse.com/~krahmer/no-nx.pdf, 2005.

[28]

Microsoft. Kernel patch protection for x64-based operating systems. http://technet.microsoft.com/ en-us/library/cc759759(v=ws.10).aspx.

[29]

Microsoft. Data Execution Prevention (DEP). http://support.microsoft.com/kb/875352/EN-US/, 2006.

[30]

MITRE. Common weakness enumeration. http://cwe.mitre.org/top25/, November 2012.

[31]

Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., and Kirda, E. G-Free: defeating return-oriented programming through gadget-less binaries. In ACSAC'10, Annual Computer Security Applications Conference (Dec. 2010).

Digital Library

[32]

Pappas, V., Polychronakis, M., and Keromytis, A. D. Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization. In IEEE Symposium on Security and Privacy (2012).

Digital Library

[33]

Pappas, V., Polychronakis, M., and Keromytis, A. D. Transparent ROP Exploit Mitigation Using Indirect Branch Tracing. In USENIX Security Symposium (2013).

Digital Library

[34]

PaX Team. http://pax.grsecurity.net/.

[35]

PaX Team. PaX Address Space Layout Randomization (ASLR). http://pax.grsecurity.net/docs/aslr.txt.

[36]

Roemer, R., Buchanan, E., Shacham, H., and Savage, S. Return-Oriented Programming: Systems, Languages, and Applications. ACM Transactions on Information and System Security 15, 1 (Mar. 2012).

Digital Library

[37]

Sehr, D., Muth, R., Biffle, C., Khimenko, V., Pasko, E., Schimpf, K., Yee, B., and Chen, B.Adapting Software Fault Isolation to Contemporary CPU Architectures. In USENIX Security Symposium (2010).

Digital Library

[38]

Shacham, H. The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86). In ACM Conference on Computer and Communications Security (CCS) (2007).

Digital Library

[39]

Shacham, H., jin Goh, E., Modadugu, N., Pfaff, B., and Boneh, D. On the Effectiveness of Address-space Randomization. In ACM Conference on Computer and Communications Security (CCS) (2004).

Digital Library

[40]

Snow, K. Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., and Sadeghi, A.-R. Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization. In IEEE Symposium on Security and Privacy (2013).

Digital Library

[41]

Snow, K. Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., and Sadeghi, A.-R. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In IEEE Symposium on Security and Privacy (2013).

Digital Library

[42]

Solar Designer. "return-to-libc" attack. Bugtraq, 1997.

[43]

Sparks, S., and Butler, J. ShadowWalker: Raising the Bar for Rootkit detection. In Black Hat Japan (2005).

[44]

Sun, B. Kernel patch protection for x64-based operating systems. http://blogs.mcafee.com/mcafee-labs/windows-7-kernel-api-refactoring.

[45]

Tran, M., Etheridge, M., Bletsch, T., Jiang, X., Freeh, V., and Ning, P. On the expressiveness of return-into-libc attacks. In Proceedings of the 14th international conference on Recent Advances in Intrusion Detection (2011), Springer-Verlag.

Digital Library

[46]

Van der Veen, V., Cavallaro, L., Bos, H., et al. Memory errors: the past, the present, and the future. In Research in Attacks, Intrusions, and Defenses. Springer, 2012, pp. 86--106.

Digital Library

[47]

Wartell, R., Mohan, V., Hamlen, K. W., and Lin, Z. Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code. In ACM Conference on Computer and Communications Security (CCS) (2012).

Digital Library

[48]

Xu, H., and Chapin, S. Address-space layout randomization using code islands. In Journal of Computer Security (2009), IOS Press, pp. 331--362.

Digital Library

[49]

Yee, B., Sehr, D., Dardyk, G., Chen, J. B., Muth, R., Ormandy, T., Okasaka, S., Narula, N., and Fullagar, N. Native Client: A Sandbox for Portable, Untrusted x86 Native Code. IEEE Symposium on Security and Privacy (2009).

Digital Library

[50]

Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., and Zou, W. Practical Control Flow Integrity and Randomization for Binary Executables. In IEEE Symposium on Security and Privacy (2013).

Digital Library

[51]

Zhang, M., and Sekar, R. Control flow integrity forcots binaries. In USENIX Security Symposium (2013).

Digital Library

Cited By

Li YCai JBao YChung Y(2023)What you can read is what you can't executeComputers & Security10.1016/j.cose.2023.103377(103377)Online publication date: Jul-2023
https://doi.org/10.1016/j.cose.2023.103377
Wang HWang SXu DZhang XLiu X(2022)Generating Effective Software Obfuscation Sequences With Reinforcement LearningIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2020.304165519:3(1900-1917)Online publication date: 1-May-2022
https://doi.org/10.1109/TDSC.2020.3041655
Yu JGe XJaeger TFletcher CCui W(2022)Pagoda: Towards Binary Code Privacy Protection with SGX-based Execute-Only Memory2022 IEEE International Symposium on Secure and Private Execution Environment Design (SEED)10.1109/SEED55351.2022.00019(133-144)Online publication date: Sep-2022
https://doi.org/10.1109/SEED55351.2022.00019
Show More Cited By

Index Terms

You Can Run but You Can't Read: Preventing Disclosure Exploits in Executable Code
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities
CODASPY '15: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy

Memory disclosure vulnerabilities have become a common component for enabling reliable exploitation of systems by leaking the contents of executable data. Previous research towards protecting executable data from disclosure has failed to gain popularity ...
What you can read is what you can't execute
Abstract
Due to the address space layout randomization (ASLR), code reuse attacks (CRAs) require memory probes to get available gadgets. Code reading is the basic way to obtain code information. In theory, setting the code to be unreadable can prevent ...
Return-Oriented Programming

Attackers able to compromise the memory of a target machine can change its behavior and usually gain complete control over it. Despite the ingenious prevention and protection mechanisms that have been implemented in modern operating systems, memory ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

November 2014

1592 pages

ISBN:9781450329576

DOI:10.1145/2660267

General Chair:
Gail-Joon Ahn
Arizona State University, USA
,
Program Chairs:
Moti Yung
Google -- Columbia University, USA
,
Ninghui Li
Purdue University, USA

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 November 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'14

Sponsor:

SIGSAC

CCS'14: 2014 ACM SIGSAC Conference on Computer and Communications Security

November 3 - 7, 2014

Arizona, Scottsdale, USA

Acceptance Rates

CCS '14 Paper Acceptance Rate 114 of 585 submissions, 19%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

85
Total Citations
View Citations
1,019
Total Downloads

Downloads (Last 12 months)47
Downloads (Last 6 weeks)8

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Li YCai JBao YChung Y(2023)What you can read is what you can't executeComputers & Security10.1016/j.cose.2023.103377(103377)Online publication date: Jul-2023
https://doi.org/10.1016/j.cose.2023.103377
Wang HWang SXu DZhang XLiu X(2022)Generating Effective Software Obfuscation Sequences With Reinforcement LearningIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2020.304165519:3(1900-1917)Online publication date: 1-May-2022
https://doi.org/10.1109/TDSC.2020.3041655
Yu JGe XJaeger TFletcher CCui W(2022)Pagoda: Towards Binary Code Privacy Protection with SGX-based Execute-Only Memory2022 IEEE International Symposium on Secure and Private Execution Environment Design (SEED)10.1109/SEED55351.2022.00019(133-144)Online publication date: Sep-2022
https://doi.org/10.1109/SEED55351.2022.00019
Zhang TCai MZhang DHuang H(2022)SeBROP: blind ROP attacks without returnsFrontiers of Computer Science: Selected Publications from Chinese Universities10.1007/s11704-021-0342-816:4Online publication date: 1-Aug-2022
https://dl.acm.org/doi/10.1007/s11704-021-0342-8
Suciu DSion RFerdman M(2022)AppBastion: Protection from Untrusted Apps and OSes on ARMComputer Security – ESORICS 202210.1007/978-3-031-17146-8_34(692-715)Online publication date: 26-Sep-2022
https://dl.acm.org/doi/10.1007/978-3-031-17146-8_34
Gravani SHedayati MCriswell JScott MBilge LDumitras T(2021)Fast Intra-kernel Isolation and Security with IskiOSProceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3471621.3471849(119-134)Online publication date: 6-Oct-2021
https://dl.acm.org/doi/10.1145/3471621.3471849
Cheng LAhmed SLiljestrand HNyman TCai HJaeger TAsokan NYao D(2021)Exploitation Techniques for Data-oriented Attacks with Existing and Potential Defense ApproachesACM Transactions on Privacy and Security10.1145/346269924:4(1-36)Online publication date: 2-Sep-2021
https://dl.acm.org/doi/10.1145/3462699
Biernacki LGallagher MXu ZAga MHarris AWei STiwari MKasikci BMalik SAustin T(2021)Software-driven Security Attacks: From Vulnerability Sources to Durable Hardware DefensesACM Journal on Emerging Technologies in Computing Systems10.1145/345629917:3(1-38)Online publication date: 1-Aug-2021
https://dl.acm.org/doi/10.1145/3456299
Lin KXia HZhang KTu B(2021)AddrArmor: An Address-based Runtime Code-reuse Attack Mitigation for Shared Objects at the Binary-level2021 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom)10.1109/ISPA-BDCloud-SocialCom-SustainCom52081.2021.00029(117-124)Online publication date: Sep-2021
https://doi.org/10.1109/ISPA-BDCloud-SocialCom-SustainCom52081.2021.00029
Zhang CAwad AHou RAlwadi M(2021)Punchcard: A Practical Red-Zone Based Scheme for Low-Overhead Heap Protection2021 IEEE 23rd Int Conf on High Performance Computing & Communications; 7th Int Conf on Data Science & Systems; 19th Int Conf on Smart City; 7th Int Conf on Dependability in Sensor, Cloud & Big Data Systems & Application (HPCC/DSS/SmartCity/DependSys)10.1109/HPCC-DSS-SmartCity-DependSys53884.2021.00078(405-414)Online publication date: Dec-2021
https://doi.org/10.1109/HPCC-DSS-SmartCity-DependSys53884.2021.00078
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents