Buddy Stacks: Protecting Return Addresses with Efficient Thread-Local Storage and Runtime Re-Randomization

ACM Transactions on Software Engineering and Methodology (TOSEM) Pub Date : 2022-03-04 DOI:10.1145/3494516

Changwei Zou, Xudong Wang, Yaoqing Gao, Jingling Xue

{"title":"Buddy Stacks: Protecting Return Addresses with Efficient Thread-Local Storage and Runtime Re-Randomization","authors":"Changwei Zou, Xudong Wang, Yaoqing Gao, Jingling Xue","doi":"10.1145/3494516","DOIUrl":null,"url":null,"abstract":"Shadow stacks play an important role in protecting return addresses to mitigate ROP attacks. Parallel shadow stacks, which shadow the call stack of each thread at the same constant offset for all threads, are known not to support multi-threading well. On the other hand, compact shadow stacks must maintain a separate shadow stack pointer in thread-local storage (TLS), which can be implemented in terms of a register or the per-thread Thread-Control-Block (TCB), suffering from poor compatibility in the former or high performance overhead in the latter. In addition, shadow stacks are vulnerable to information disclosure attacks. In this paper, we propose to mitigate ROP attacks for single- and multi-threaded server programs running on general-purpose computing systems by using a novel stack layout, called a buddy stack (referred to as Bustk), that is highly performant, compatible with existing code, and provides meaningful security. These goals are met due to three novel design aspects in Bustk. First, Bustk places a parallel shadow stack just below a thread’s call stack (as each other’s buddies allocated together), avoiding the need to maintain a separate shadow stack pointer and making it now well-suited for multi-threading. Second, Bustk uses an efficient stack-based thread-local storage mechanism, denoted STK-TLS, to store thread-specific metadata in two TLS sections just below the shadow stack in dual redundancy (as each other’s buddies), so that both can be accessed and updated in a lightweight manner from the call stack pointer rsp alone. Finally, Bustk re-randomizes continuously (on the order of milliseconds) the return addresses on the shadow stack by using a new microsecond-level runtime re-randomization technique, denoted STK-MSR. This mechanism aims to obsolete leaked information, making it extremely unlikely for the attacker to hijack return addresses, particularly against a server program that sits often tens of milliseconds away from the attacker. Our evaluation using web servers, Nginx and Apache Httpd, shows that Bustk works well in terms of performance, compatibility, and security provided, with its parallel shadow stacks incurring acceptable memory overhead for real-world applications and its STK-TLS mechanism costing only two pages per thread. In particular, Bustk can protect the Nginx and Apache servers with an adaptive 1-ms re-randomization policy (without observable overheads when IO is intensive, with about 17,000 requests per second). In addition, we have also evaluated Bustk using other non-server applications, Firefox, Python, LLVM, JDK and SPEC CPU2006, to demonstrate further the same degree of performance and compatibility provided, but the protection provided for, say, browsers, is weaker (since network-access delays can no longer be assumed).","PeriodicalId":7398,"journal":{"name":"ACM Transactions on Software Engineering and Methodology (TOSEM)","volume":"16 1","pages":"1 - 37"},"PeriodicalIF":0.0000,"publicationDate":"2022-03-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Software Engineering and Methodology (TOSEM)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3494516","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

Abstract

Shadow stacks play an important role in protecting return addresses to mitigate ROP attacks. Parallel shadow stacks, which shadow the call stack of each thread at the same constant offset for all threads, are known not to support multi-threading well. On the other hand, compact shadow stacks must maintain a separate shadow stack pointer in thread-local storage (TLS), which can be implemented in terms of a register or the per-thread Thread-Control-Block (TCB), suffering from poor compatibility in the former or high performance overhead in the latter. In addition, shadow stacks are vulnerable to information disclosure attacks. In this paper, we propose to mitigate ROP attacks for single- and multi-threaded server programs running on general-purpose computing systems by using a novel stack layout, called a buddy stack (referred to as Bustk), that is highly performant, compatible with existing code, and provides meaningful security. These goals are met due to three novel design aspects in Bustk. First, Bustk places a parallel shadow stack just below a thread’s call stack (as each other’s buddies allocated together), avoiding the need to maintain a separate shadow stack pointer and making it now well-suited for multi-threading. Second, Bustk uses an efficient stack-based thread-local storage mechanism, denoted STK-TLS, to store thread-specific metadata in two TLS sections just below the shadow stack in dual redundancy (as each other’s buddies), so that both can be accessed and updated in a lightweight manner from the call stack pointer rsp alone. Finally, Bustk re-randomizes continuously (on the order of milliseconds) the return addresses on the shadow stack by using a new microsecond-level runtime re-randomization technique, denoted STK-MSR. This mechanism aims to obsolete leaked information, making it extremely unlikely for the attacker to hijack return addresses, particularly against a server program that sits often tens of milliseconds away from the attacker. Our evaluation using web servers, Nginx and Apache Httpd, shows that Bustk works well in terms of performance, compatibility, and security provided, with its parallel shadow stacks incurring acceptable memory overhead for real-world applications and its STK-TLS mechanism costing only two pages per thread. In particular, Bustk can protect the Nginx and Apache servers with an adaptive 1-ms re-randomization policy (without observable overheads when IO is intensive, with about 17,000 requests per second). In addition, we have also evaluated Bustk using other non-server applications, Firefox, Python, LLVM, JDK and SPEC CPU2006, to demonstrate further the same degree of performance and compatibility provided, but the protection provided for, say, browsers, is weaker (since network-access delays can no longer be assumed).

查看原文本刊更多论文

伙伴栈:用有效的线程本地存储和运行时再随机化保护返回地址

影子堆栈在保护返回地址以减轻ROP攻击方面发挥着重要作用。并行阴影堆栈以相同的常量偏移量对所有线程的每个线程的调用堆栈进行阴影，已知它不能很好地支持多线程。另一方面，紧凑的影子堆栈必须在线程本地存储(TLS)中维护一个单独的影子堆栈指针，这可以通过寄存器或每线程线程控制块(TCB)来实现，前者的兼容性较差，后者的性能开销较高。此外，影子堆栈很容易受到信息泄露攻击。在本文中，我们建议通过使用一种新的堆栈布局来减轻运行在通用计算系统上的单线程和多线程服务器程序的ROP攻击，这种布局称为伙伴堆栈(称为Bustk)，它具有高性能，与现有代码兼容，并提供有意义的安全性。由于Bustk的三个新颖设计方面，这些目标得以实现。首先，Bustk将并行影子堆栈放置在线程调用堆栈的下方(就像每个线程的伙伴被分配在一起一样)，避免了维护单独的影子堆栈指针的需要，并使其现在非常适合多线程。其次，Bustk使用一种高效的基于堆栈的线程本地存储机制，称为STK-TLS，以双冗余的方式将线程特定的元数据存储在影子堆栈下方的两个TLS部分中(作为彼此的伙伴)，因此两者都可以仅从调用堆栈指针rsp以轻量级的方式访问和更新。最后，Bustk通过使用一种新的微秒级运行时重新随机化技术(称为STK-MSR)，连续地(以毫秒为单位)重新随机化影子堆栈上的返回地址。这种机制旨在废弃泄露的信息，使攻击者极不可能劫持返回地址，特别是针对通常距离攻击者几十毫秒的服务器程序。我们使用web服务器(Nginx和Apache Httpd)进行评估，结果表明，Bustk在性能、兼容性和安全性方面都表现良好，其并行影子堆栈为实际应用程序带来了可接受的内存开销，其STK-TLS机制每线程仅消耗两个页面。特别是，Bustk可以保护Nginx和Apache服务器，使用自适应的1毫秒重新随机化策略(IO密集时没有可观察到的开销，每秒约17,000个请求)。此外，我们还使用其他非服务器应用程序(Firefox、Python、LLVM、JDK和SPEC CPU2006)对Bustk进行了评估，以进一步演示提供的相同程度的性能和兼容性，但是为浏览器提供的保护较弱(因为不能再假设网络访问延迟)。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

ACM Transactions on Software Engineering and Methodology (TOSEM)

自引率

0.00%

发文量