ExOShim: Preventing Memory Disclosure using Execute-Only Kernel Code

Information leakage and memory disclosure are major threats to the security in modern computer systems. If an attacker is able to obtain the binary-code of an application, it is possible to reverseengineer the source-code, uncover vulnerabilities, craft exploits, and patch together code-segments to produce code-reuse attacks. These issues are particularly concerning when the application is an operating system because they open the door to privilegeescalation and exploitation techniques that provide kernel-level access. This paper describes ExOShim: a 325-line, lightweight “shim” layer, using Intel’s commodity virtualization features, that prevents memory disclosures by rendering all kernel code execute-only. This technology, when combined with nondeterministic refresh and load-time diversity, prevents disclosure of kernel code on time-scales that facilitate kernel-level exploit development. The proof-of-concept prototype described here has been demonstrated on a 64-bit microkernel. It is evaluated using metrics that quantify its code size and complexity, associated runtime performance costs, and its effectiveness in thwarting information leakage. ExOShim provides complete execute-only protection for kernel code at a runtime-performance overhead of only 0.86%. The concepts are general and can also be applied to render application code execute-only.