Touch but Don't Look - Running the Kernel in Execute Only Memory

Explore the concept of execute-only memory and its implementation in the Linux kernel through this informative conference talk from the Linux Plumbers Conference. Dive into the benefits of execute-only memory for protecting against code-reading attacks and its potential impact on kernel security. Learn about the novel implementation approach across QEMU, KVM, and the guest Linux Kernel, which involves manipulating physical address bits to create execute-only guest virtual memory. Discover the proposed APIs for utilizing execute-only memory in userspace and the necessary changes to the Linux kernel to support this feature. Gain insights into the challenges and considerations for running the kernel in execute-only memory, including code patterns that may need to be avoided in future kernel development. Understand the implications for features like KASLR, ASLR, and fine-grained ASLR, as well as the potential impact on performance and reliability.

Intro
Why use execute-only memory
Control flow attacks
JIT-ROP
Discovering text - XO is not a lock box
Mitigations: Cost vs Benefit
XO memory CPU support
Trick for XO memory for VMS (2)
Qemu/KVM implementation
Userspace XO support
X86 Kernel Text Permission Lifecycle
XB6 patching methods
So what broke?
Text patching features
Toolchain Mixing Data and Code
Performance
Making this reliable
XO faults
Implementing non-strict mode
Fixing guest page tables
Future - Not reading text as a new rule in the kernel?
Plans
Summary