DISCONTINUATION OF PROJECT.
This project will no longer be maintained by Intel.
Intel has ceased development and contributions including, but not limited to, maintenance, bug fixes, new releases, or updates, to this project.
Intel no longer accepts patches to this project.
If you have an ongoing need to use this project, are interested in independently developing it, or would like to maintain patches for the open source software community, please create your own fork of this project.
(eXecutable-Only Memory Switch)
xom-switch is the eXecutable-Only-Memory (XOM) enabling tool for x86 Linux system. It aims to mitigate code disclosure guided ROP attacks. This is is the 1st tool using Intel's Memory Protection Keys (MPK) feature for XOM enabling. xom-switch protects all code modules in the runtime including executable and dependent libraries without requiring source code or heavyweight binary translation/rewriting. xom-switch uses non-intrusive way to intercept program runtime by instrumenting program loader (ld.so).
BlackHat Asia 2018 Description and Presentation
xom-switch could run in Amazon AWS C5 Instance. Try it out!
Fedora 28 will support GOT protection in lazy binding using memory protection keys. Link1, Link2.
- Protect randomized code.
- Defend against JIT-ROP Attack.
- Defend against Hacking Blind Attack.
- LWN: Memory Protection Keys
- Intel's Memory Protection Keys Specification
- ARM's eXecutable-Only Memory
To run xom-switch properly, you need to have hardware and OS support first:
- Intel CPU with protection keys feature on, e.g, INTEL® XEON® SCALABLE PROCESSORS AND
- Linux kernel 4.9 or later. OR
- Use VM in AWS, choose Amazon Linux 2 LTS Candidate AMI 2017.12.0 (HVM) and then C5 Instance.
xom-switch requires two tools:
- common tools: bc, binutils, gcc, python 2.7
- radare2 (v2.3.0): a static binary analyzer, which could be found in here
xom-switch consists of three modules:
- binary rewriter: a static binary rewriter for x86 ELF binaries.
- patch: C code pieces (see tutorial to write your own instrumentation) that will be patched into program loader.
- analysis: analyzer/instrumentor of the program loader using radare2.
- install python 2.7 and radare2
- patch your loader:
src/analysis/patch-loader.sh /lib64/ld-linux-x86-64.so.2 /your/new/ld.so - copy your loader to system dir:
sudo mv /your/new/ld.so /lib64/ld-xom.so - patch your libc.so (optional):
src/analysis/patch-libc.sh /lib/x86_64-linux-gnu/libc.so.6 /your/new/libc.so
Note: patching your libc allows you to apply XOM to their child processes spawned through execve(2).
- apply XOM to your program:
/lib64/ld-xom.so /path/to/your/program - apply XOM to your program and its children:
LD_PRELOAD=/your/new/libc.so /lib64/ld-xom.so /path/to/your/program
This code is published under GPLv2 version.
This code is for demo purpose only and the status of code is beta.
xom-switch has known limitation in the following cases:
- When binaries has data embedded in the middle of code, xom-switch may crash. To avoid that xom-switch has a white list embedded in code. see
- Since code modules (exe and libs) are not compiled with XOM support, there would be at least two code pages (the 1st and last code page) for each module where code and data co-exist. xom-switch avoids the issue by marking them as readable and executable. In the future, we will solve that using static analysis.
- Support CentOS 7.2.
- Support CentOS 7.4.
- Support Ubuntu 16.04.
- Support Ubuntu 17.04.
- Support simple instrumentation like function interception.
- Support Amazon Linux 2 LTS Candidate AMI 2017.12.0 (HVM) C5 VM.
- Adding page fault handling to let go legitimate data read.