SoK: Shining Light on Shadow Stacks

2019 IEEE Symposium on Security and Privacy (SP) Pub Date : 2018-11-07 DOI:10.1109/SP.2019.00076

N. Burow, Xinping Zhang, Mathias Payer

{"title":"SoK: Shining Light on Shadow Stacks","authors":"N. Burow, Xinping Zhang, Mathias Payer","doi":"10.1109/SP.2019.00076","DOIUrl":null,"url":null,"abstract":"Control-Flow Hijacking attacks are the dominant attack vector against C/C++ programs. Control-Flow Integrity (CFI) solutions mitigate these attacks on the forward edge, i.e., indirect calls through function pointers and virtual calls. Protecting the backward edge is left to stack canaries, which are easily bypassed through information leaks. Shadow Stacks are a fully precise mechanism for protecting backwards edges, and should be deployed with CFI mitigations. We present a comprehensive analysis of all possible shadow stack mechanisms along three axes: performance, compatibil- ity, and security. For performance comparisons we use SPEC CPU2006, while security and compatibility are qualitatively analyzed. Based on our study, we renew calls for a shadow stack design that leverages a dedicated register, resulting in low performance overhead, and minimal memory overhead, but sacrifices compatibility. We present case studies of our implementation of such a design, Shadesmar, on Phoronix and Apache to demonstrate the feasibility of dedicating a general purpose register to a security monitor on modern architectures, and Shadesmar’s deployability. Our comprehensive analysis, including detailed case studies for our novel design, allows compiler designers and practitioners to select the correct shadow stack design for different usage scenarios. Shadow stacks belong to the class of defense mechanisms that require metadata about the program’s state to enforce their defense policies. Protecting this metadata for deployed mitigations requires in-process isolation of a segment of the virtual address space. Prior work on defenses in this class has relied on information hiding to protect metadata. We show that stronger guarantees are possible by repurposing two new Intel x86 extensions for memory protection (MPX), and page table control (MPK). Building on our isolation efforts with MPX and MPK, we present the design requirements for a dedicated hardware mechanism to support intra-process memory isolation, and discuss how such a mechanism can empower the next wave of highly precise software security mitigations that rely on partially isolated information in a process.","PeriodicalId":272713,"journal":{"name":"2019 IEEE Symposium on Security and Privacy (SP)","volume":"24 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-11-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"108","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP.2019.00076","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 108

Abstract

Control-Flow Hijacking attacks are the dominant attack vector against C/C++ programs. Control-Flow Integrity (CFI) solutions mitigate these attacks on the forward edge, i.e., indirect calls through function pointers and virtual calls. Protecting the backward edge is left to stack canaries, which are easily bypassed through information leaks. Shadow Stacks are a fully precise mechanism for protecting backwards edges, and should be deployed with CFI mitigations. We present a comprehensive analysis of all possible shadow stack mechanisms along three axes: performance, compatibil- ity, and security. For performance comparisons we use SPEC CPU2006, while security and compatibility are qualitatively analyzed. Based on our study, we renew calls for a shadow stack design that leverages a dedicated register, resulting in low performance overhead, and minimal memory overhead, but sacrifices compatibility. We present case studies of our implementation of such a design, Shadesmar, on Phoronix and Apache to demonstrate the feasibility of dedicating a general purpose register to a security monitor on modern architectures, and Shadesmar’s deployability. Our comprehensive analysis, including detailed case studies for our novel design, allows compiler designers and practitioners to select the correct shadow stack design for different usage scenarios. Shadow stacks belong to the class of defense mechanisms that require metadata about the program’s state to enforce their defense policies. Protecting this metadata for deployed mitigations requires in-process isolation of a segment of the virtual address space. Prior work on defenses in this class has relied on information hiding to protect metadata. We show that stronger guarantees are possible by repurposing two new Intel x86 extensions for memory protection (MPX), and page table control (MPK). Building on our isolation efforts with MPX and MPK, we present the design requirements for a dedicated hardware mechanism to support intra-process memory isolation, and discuss how such a mechanism can empower the next wave of highly precise software security mitigations that rely on partially isolated information in a process.

查看原文本刊更多论文

SoK:照亮暗影堆叠

控制流劫持攻击是针对C/ c++程序的主要攻击向量。控制流完整性(CFI)解决方案在前端减轻了这些攻击，即通过函数指针和虚拟调用进行间接调用。保护后边缘留给了堆栈金丝雀，这很容易通过信息泄漏绕过。阴影堆栈是一个完全精确的机制来保护后边缘，并应部署与CFI缓解。我们提出了一个全面的分析所有可能的影子堆栈机制沿着三个轴:性能，兼容性和安全性。为了进行性能比较，我们使用SPEC CPU2006，同时对安全性和兼容性进行定性分析。根据我们的研究，我们重新调用了利用专用寄存器的影子堆栈设计，导致低性能开销和最小的内存开销，但牺牲了兼容性。我们介绍了在Phoronix和Apache上实现这种设计Shadesmar的案例研究，以演示将通用寄存器专用于现代架构上的安全监视器的可行性，以及Shadesmar的可部署性。我们的综合分析，包括对我们新颖设计的详细案例研究，允许编译器设计者和实践者为不同的使用场景选择正确的影子堆栈设计。影子堆栈属于一类需要有关程序状态的元数据来执行其防御策略的防御机制。为已部署的缓解保护此元数据需要在进程内隔离虚拟地址空间的一段。这类先前的防御工作依赖于信息隐藏来保护元数据。通过重新利用两个新的Intel x86扩展来实现内存保护(MPX)和页表控制(MPK)，我们证明了更强的保证是可能的。在MPX和MPK隔离工作的基础上，我们提出了支持进程内内存隔离的专用硬件机制的设计要求，并讨论了这种机制如何支持依赖进程中部分隔离信息的下一波高精度软件安全缓解。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2019 IEEE Symposium on Security and Privacy (SP)

自引率

0.00%

发文量