Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Retrofitting XoM for Stripped Binaries without Embedded Data Relocation

Chenke Luo, Jiang Ming, Mengfei Xie, Guojun Peng, Jianming Fu

TL;DR

PXoM tackles memory-disclosure threats in stripped x86-64 binaries by retrofitting Execute-only Memory (XoM) without relocating embedded data. It achieves fine-grained, per-page permission control via Intel MPK, combined with a kernel-level Unidirectional Disassembly workflow, a new PXoM-aware ELF format, and a custom loader plus exception handler to distinguish legitimate data reads from disclosure attempts. The approach delivers strong JIT-ROP defense while incurring negligible runtime overhead (average ~0.25–0.36% in SPECweb/DB workloads and ~0.22–0.82% in OpenSSL-heavy scenarios) and high protection coverage across open-source and COTS binaries. PXoM’s real-world viability is reinforced by comprehensive security and performance evaluations, and its open-source artifacts enable reproducibility and practical adoption in conventional Linux environments.

Abstract

In this paper, we present PXoM, a practical technique to seamlessly retrofit XoM into stripped binaries on the x86-64 platform. As handling the mixture of code and data is a well-known challenge for XoM, most existing methods require the strict separation of code and data areas via either compile-time transformation or binary patching, so that the unreadable permission can be safely enforced at the granularity of memory pages. In contrast to previous approaches, we provide a fine-grained memory permission control mechanism to restrict the read permission of code while allowing legitimate data reads within code pages. This novelty enables PXoM to harden stripped binaries but without resorting to error-prone embedded data relocation. We leverage Intel's hardware feature, Memory Protection Keys, to offer an efficient fine-grained permission control. We measure PXoM's performance with both micro- and macro-benchmarks, and it only introduces negligible runtime overhead. Our security evaluation shows that PXoM leaves adversaries with little wiggle room to harvest all of the required gadgets, suggesting PXoM is practical for real-world deployment.

Retrofitting XoM for Stripped Binaries without Embedded Data Relocation

TL;DR

PXoM tackles memory-disclosure threats in stripped x86-64 binaries by retrofitting Execute-only Memory (XoM) without relocating embedded data. It achieves fine-grained, per-page permission control via Intel MPK, combined with a kernel-level Unidirectional Disassembly workflow, a new PXoM-aware ELF format, and a custom loader plus exception handler to distinguish legitimate data reads from disclosure attempts. The approach delivers strong JIT-ROP defense while incurring negligible runtime overhead (average ~0.25–0.36% in SPECweb/DB workloads and ~0.22–0.82% in OpenSSL-heavy scenarios) and high protection coverage across open-source and COTS binaries. PXoM’s real-world viability is reinforced by comprehensive security and performance evaluations, and its open-source artifacts enable reproducibility and practical adoption in conventional Linux environments.

Abstract

In this paper, we present PXoM, a practical technique to seamlessly retrofit XoM into stripped binaries on the x86-64 platform. As handling the mixture of code and data is a well-known challenge for XoM, most existing methods require the strict separation of code and data areas via either compile-time transformation or binary patching, so that the unreadable permission can be safely enforced at the granularity of memory pages. In contrast to previous approaches, we provide a fine-grained memory permission control mechanism to restrict the read permission of code while allowing legitimate data reads within code pages. This novelty enables PXoM to harden stripped binaries but without resorting to error-prone embedded data relocation. We leverage Intel's hardware feature, Memory Protection Keys, to offer an efficient fine-grained permission control. We measure PXoM's performance with both micro- and macro-benchmarks, and it only introduces negligible runtime overhead. Our security evaluation shows that PXoM leaves adversaries with little wiggle room to harvest all of the required gadgets, suggesting PXoM is practical for real-world deployment.

Paper Structure

This paper contains 45 sections, 3 equations, 18 figures, 10 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background, Motivation, and Related Work
  3. Overview of Just-In-Time ROP
  4. Execute-only Memory Defense
  5. Memory Protection Keys
  6. Kernel-level XoM Protection
  7. Control-Flow Integrity
  8. Threat Model
  9. Overview
  10. Design
  11. Fine-Grained Memory Permission Control
  12. Unidirectional Disassembly Strategy
  13. New ELF Format
  14. Custom Loader
  15. Exception Handler
  16. ...and 30 more sections

Figures (18)

  • Figure 1: Overview of a typical JIT-ROP attack. Memory disclosure is the premise of a JIT-ROP attack.
  • Figure 2: Overview of PXoM.
  • Figure 3: The left side shows a code page containing embedded data. The middle section illustrates the previous XoM based on core-grained memory permission control with precise disassembly. The right side depicts the effect of PXoM via fine-grained memory permission control with Unidirectional Disassembly.
  • Figure 4: Workflow of Unidirectional Disassembly strategy. The blue, green, and red sections represent code, embedded data, and the superset of embedded data, respectively. The left side shows a code section containing embedded data. The middle section illustrates the embedded data superset when only recursive traversal disassembly is conducted. The right side demonstrates the minimized embedded data superset after applying the full Unidirectional Disassembly strategy.
  • Figure 5: New ELF format for PXoM protected binary file.
  • ...and 13 more figures