diff --git a/src/libos/src/vm/user_space_vm.rs b/src/libos/src/vm/user_space_vm.rs
index 25ec94fa..7e01a1c5 100644
--- a/src/libos/src/vm/user_space_vm.rs
+++ b/src/libos/src/vm/user_space_vm.rs
@@ -19,11 +19,11 @@ impl UserSpaceVMManager {
     pub fn alloc(&self, size: usize) -> Result<UserSpaceVMRange> {
         let vm_range = unsafe {
             let ptr = sgx_alloc_rsrv_mem(size);
-            let perm = MemPerm::READ | MemPerm::WRITE | MemPerm::EXEC;
+            let perm = MemPerm::READ | MemPerm::WRITE;
             if ptr.is_null() {
                 return_errno!(ENOMEM, "run out of reserved memory");
             }
-            // Change the page permission to RWX
+            // Change the page permission to RW (default)
             assert!(sgx_tprotect_rsrv_mem(ptr, size, perm.bits()) == sgx_status_t::SGX_SUCCESS);
 
             let addr = ptr as usize;
diff --git a/src/libos/src/vm/vm_manager.rs b/src/libos/src/vm/vm_manager.rs
index bed22b57..a20906aa 100644
--- a/src/libos/src/vm/vm_manager.rs
+++ b/src/libos/src/vm/vm_manager.rs
@@ -319,7 +319,9 @@ impl VMManager {
             options.initializer.init_slice(buf)?;
         }
         // Set memory permissions
-        Self::apply_perms(&new_vma, new_vma.perms());
+        if !options.perms.is_default() {
+            Self::apply_perms(&new_vma, new_vma.perms());
+        }
 
         // After initializing, we can safely insert the new VMA
         self.insert_new_vma(insert_idx, new_vma);
@@ -371,7 +373,9 @@ impl VMManager {
                 Self::flush_file_vma(&intersection_vma);
 
                 // Reset memory permissions
-                Self::apply_perms(&intersection_vma, VMPerms::default());
+                if !&intersection_vma.perms().is_default() {
+                    Self::apply_perms(&intersection_vma, VMPerms::default());
+                }
 
                 vma.subtract(&intersection_vma)
             })
diff --git a/src/libos/src/vm/vm_perms.rs b/src/libos/src/vm/vm_perms.rs
index 8f1d5b2c..0c538841 100644
--- a/src/libos/src/vm/vm_perms.rs
+++ b/src/libos/src/vm/vm_perms.rs
@@ -6,7 +6,8 @@ bitflags! {
         const READ        = 0x1;
         const WRITE       = 0x2;
         const EXEC        = 0x4;
-        const ALL         = Self::READ.bits | Self::WRITE.bits | Self::EXEC.bits;
+        const DEFAULT     = Self::READ.bits | Self::WRITE.bits;
+        const ALL         = Self::DEFAULT.bits | Self::EXEC.bits;
     }
 }
 
@@ -26,10 +27,14 @@ impl VMPerms {
     pub fn can_execute(&self) -> bool {
         self.contains(VMPerms::EXEC)
     }
+
+    pub fn is_default(&self) -> bool {
+        self.bits == Self::DEFAULT.bits
+    }
 }
 
 impl Default for VMPerms {
     fn default() -> Self {
-        VMPerms::ALL
+        VMPerms::DEFAULT
     }
 }