Return to Where? You Can’t Exploit What You Can’t Find

So far, no countermeasure has been able to fully prevent sophisticated exploitation techniques such as return-oriented programming (ROP). Recent control-flow integrity (CFI) defenses from Google and Microsoft can be bypassed by constructing a ROP payload that adheres to the control-flow constraints or by exploiting implementation flaws to bypass the control-flow checks. Microsoft’s EMET has less overhead than full CFI but offers less protection in return, and can also be bypassed. Probabilistic countermeasures based on memory layout randomization (such as ASLR) are already in widespread use. As the Pwn2own competitions have repeatedly demonstrated, attackers can use various types of information leaks to bypass code randomization. To reduce the impact of information disclosure vulnerabilities, recent defenses utilize execute-only memory. However, executeonly memory alone is insufficient to prevent disclosure of the code layout. In particular, we show how to determine the code layout by analyzing pointers in the heap, in vtables, and on the stack without ever directly reading the code. This paper presents a comprehensive yet practical defense— Readactor—that counters both direct reading of code and indirect layout disclosure through analysis of code pointers. We employ a thin hypervisor and a kernel patch to enable hardware-enforced execute-only memory which prevents direct reading of code. Code pointers in readable memory are hidden by converting them into direct jumps stored in execute-only memory to prevent indirect disclosure of the code layout. Readactor is efficient because it activates previously unused hardware capabilities in modern x86 processors and is often faster than industry CFI implementations. Our solution is also highly practical; we were able to automatically apply our defense to the Chromium web browser. Finally, our solution is comprehensive; we also protect the dynamically generated code emitted by the V8 JavaScript JIT compiler.