Breaking and Fixing Destructive Code Read Defenses
This addresses security vulnerabilities in legacy software systems, offering a practical defense against code inference attacks.
The paper tackled the problem of bypassing destructive code read (DCR) defenses, which were believed to be strong when combined with code randomization, by demonstrating generic attacks that infer code layout regardless of randomization. It resulted in BGDX, a mitigation technique that combines DCR and execute-only memory for legacy binaries with only 3.95% performance overhead on SPEC.
Just-in-time return-oriented programming (JIT-ROP) is a powerful memory corruption attack that bypasses various forms of code randomization. Execute-only memory (XOM) can potentially prevent these attacks, but requires source code. In contrast, destructive code reads (DCR) provide a trade-off between security and legacy compatibility. The common belief is that DCR provides strong protection if combined with a high-entropy code randomization. The contribution of this paper is twofold: first, we demonstrate that DCR can be bypassed regardless of the underlying code randomization scheme. To this end, we show novel, generic attacks that infer the code layout for highly randomized program code. Second, we present the design and implementation of BGDX (Byte-Granular DCR and XOM), a novel mitigation technique that protects legacy binaries against code inference attacks. BGDX enforces memory permissions on a byte-granular level allowing us to combine DCR and XOM for legacy, off-the-shelf binaries. Our evaluation shows that BGDX is not only effective, but highly efficient, imposing only a geometric mean performance overhead of 3.95% on SPEC.