Execute-Only Attacks against Execute-Only Defenses1

Execute-only defenses have been proposed as a way of mitigating information leakage attacks that have been widely used to bypass randomization-based memory corruption defenses. A recent technique, Readactor, provides one of the strongest implementations of execute-only defenses: it exploits novel hardware features to incorporate non-readable code to prevent direct information leakage, a layer of indirection to prevent indirect information leakage of pointers located on stack and heap, and code randomization as well as decoys to prevent brute-force attacks. In this paper, we demonstrate three novel attacks that can bypass Readactor as well as numerous other recent memory corruption defenses with various impacts. We analyze the prevalence of opportunities for such attacks in popular code bases and build two proof-of-concept exploits. Moreover, we implement countermeasures against our attacks in Readactor itself and discuss their implications. Our evaluations indicate that our countermeasures introduce only a modest additional overhead.