ExOShim: preventing memory disclosure using execute-only kernel code Online publication date: Fri, 04-Mar-2022
by Scott Brookes; Robert Denz; Martin Osterloh; Stephen Taylor
International Journal of Information and Computer Security (IJICS), Vol. 17, No. 1/2, 2022
Abstract: Information leakage and memory disclosure are major threats to the security in modern computer systems. If an attacker is able to obtain the binary-code of an application, it is possible to reverse-engineer the source-code, uncover vulnerabilities, craft exploits, and patch together code-segments to produce code-reuse attacks. These issues are particularly concerning when the application is an operating system because they open the door to privilege-escalation and exploitation techniques that provide kernel-level access. This paper describes ExOShim: a 325-line, lightweight 'shim' layer, using Intel's commodity virtualisation features, that prevents memory disclosures by rendering all kernel code execute-only. This technology, when combined with non-deterministic refresh and load-time diversity, prevents disclosure of kernel code on time-scales that facilitate kernel-level exploit development. Additionally, it utilises self-protection and hiding techniques to guarantee its operation even when the attacker gains full root access. The proof-of-concept prototype described here has been demonstrated on a 64-bit microkernel. It is evaluated using metrics that quantify its code size and complexity, associated run-time performance costs, and its effectiveness in thwarting information leakage. ExOShim provides complete execute-only protection for kernel code at a runtime-performance overhead of only 0.86%. The concepts are general and could also be applied to other operating systems.
Existing subscribers:
Go to Inderscience Online Journals to access the Full Text of this article.
If you are not a subscriber and you just want to read the full contents of this article, buy online access here.Complimentary Subscribers, Editors or Members of the Editorial Board of the International Journal of Information and Computer Security (IJICS):
Login with your Inderscience username and password:
Want to subscribe?
A subscription gives you complete access to all articles in the current issue, as well as to all articles in the previous three years (where applicable). See our Orders page to subscribe.
If you still need assistance, please email subs@inderscience.com
Our Blog 
Follow us on Twitter 
Visit us on Facebook