SoK: Shining Light on Shadow Stacks
Control-Flow Hijacking attacks are the dominant attack vector against C/C++ programs. Control-Flow Integrity (CFI) solutions mitigate these attacks on the forward edge, i.e., indirect calls through function pointers and virtual calls. Protecting the backward edge is left to stack canaries, which are...
Gespeichert in:
| Veröffentlicht in: | Proceedings - IEEE Symposium on Security and Privacy S. 985 - 999 |
|---|---|
| Hauptverfasser: | , , |
| Format: | Tagungsbericht |
| Sprache: | Englisch |
| Veröffentlicht: |
IEEE
01.05.2019
|
| Schlagworte: | |
| ISSN: | 2375-1207 |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| Abstract | Control-Flow Hijacking attacks are the dominant attack vector against C/C++ programs. Control-Flow Integrity (CFI) solutions mitigate these attacks on the forward edge, i.e., indirect calls through function pointers and virtual calls. Protecting the backward edge is left to stack canaries, which are easily bypassed through information leaks. Shadow Stacks are a fully precise mechanism for protecting backwards edges, and should be deployed with CFI mitigations. We present a comprehensive analysis of all possible shadow stack mechanisms along three axes: performance, compatibil- ity, and security. For performance comparisons we use SPEC CPU2006, while security and compatibility are qualitatively analyzed. Based on our study, we renew calls for a shadow stack design that leverages a dedicated register, resulting in low performance overhead, and minimal memory overhead, but sacrifices compatibility. We present case studies of our implementation of such a design, Shadesmar, on Phoronix and Apache to demonstrate the feasibility of dedicating a general purpose register to a security monitor on modern architectures, and Shadesmar's deployability. Our comprehensive analysis, including detailed case studies for our novel design, allows compiler designers and practitioners to select the correct shadow stack design for different usage scenarios. Shadow stacks belong to the class of defense mechanisms that require metadata about the program's state to enforce their defense policies. Protecting this metadata for deployed mitigations requires in-process isolation of a segment of the virtual address space. Prior work on defenses in this class has relied on information hiding to protect metadata. We show that stronger guarantees are possible by repurposing two new Intel x86 extensions for memory protection (MPX), and page table control (MPK). Building on our isolation efforts with MPX and MPK, we present the design requirements for a dedicated hardware mechanism to support intra-process memory isolation, and discuss how such a mechanism can empower the next wave of highly precise software security mitigations that rely on partially isolated information in a process. |
|---|---|
| AbstractList | Control-Flow Hijacking attacks are the dominant attack vector against C/C++ programs. Control-Flow Integrity (CFI) solutions mitigate these attacks on the forward edge, i.e., indirect calls through function pointers and virtual calls. Protecting the backward edge is left to stack canaries, which are easily bypassed through information leaks. Shadow Stacks are a fully precise mechanism for protecting backwards edges, and should be deployed with CFI mitigations. We present a comprehensive analysis of all possible shadow stack mechanisms along three axes: performance, compatibil- ity, and security. For performance comparisons we use SPEC CPU2006, while security and compatibility are qualitatively analyzed. Based on our study, we renew calls for a shadow stack design that leverages a dedicated register, resulting in low performance overhead, and minimal memory overhead, but sacrifices compatibility. We present case studies of our implementation of such a design, Shadesmar, on Phoronix and Apache to demonstrate the feasibility of dedicating a general purpose register to a security monitor on modern architectures, and Shadesmar's deployability. Our comprehensive analysis, including detailed case studies for our novel design, allows compiler designers and practitioners to select the correct shadow stack design for different usage scenarios. Shadow stacks belong to the class of defense mechanisms that require metadata about the program's state to enforce their defense policies. Protecting this metadata for deployed mitigations requires in-process isolation of a segment of the virtual address space. Prior work on defenses in this class has relied on information hiding to protect metadata. We show that stronger guarantees are possible by repurposing two new Intel x86 extensions for memory protection (MPX), and page table control (MPK). Building on our isolation efforts with MPX and MPK, we present the design requirements for a dedicated hardware mechanism to support intra-process memory isolation, and discuss how such a mechanism can empower the next wave of highly precise software security mitigations that rely on partially isolated information in a process. |
| Author | Burow, Nathan Payer, Mathias Zhang, Xinping |
| Author_xml | – sequence: 1 givenname: Nathan surname: Burow fullname: Burow, Nathan organization: Purdue University – sequence: 2 givenname: Xinping surname: Zhang fullname: Zhang, Xinping organization: Purdue University – sequence: 3 givenname: Mathias surname: Payer fullname: Payer, Mathias organization: EPFL |
| BookMark | eNotj0tLxDAURqMoODPO0pWbguvWe5M2yXUng49hCgrV9ZAmtzPxkcq0IP57C3o2H5zFB2cuTlKfWIgLhAIR6Lp5LiQgFQBg9JFYkrFYKasngI7FTCpT5SjBnIn5MLwBSFBUzsRV029usmYfU0y7rI67_Zj1aRIu9N9ZMzr_PpyL0859DLz834V4vb97WT3m9dPDenVb51FiOeaajWcblAuEGMrOWeIqaJCmdYxWkp80QYm2o7YyWlrdOu9bydR540gtxOXfb2Tm7dchfrrDz9ZaNYWQ-gXoRz8m |
| ContentType | Conference Proceeding |
| DBID | 6IE 6IH CBEJK RIE RIO |
| DOI | 10.1109/SP.2019.00076 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Proceedings Order Plan (POP) 1998-present by volume IEEE Xplore All Conference Proceedings IEEE/IET Electronic Library (IEL) (UW System Shared) IEEE Proceedings Order Plans (POP) 1998-present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE/IET Electronic Library (IEL) (UW System Shared) url: https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISBN | 9781538666609 153866660X |
| EISSN | 2375-1207 |
| EndPage | 999 |
| ExternalDocumentID | 8835389 |
| Genre | orig-research |
| GroupedDBID | 23M 29O 6IE 6IF 6IH 6IL 6IN AAJGR AAWTH ABLEC ACGFS ADZIZ ALMA_UNASSIGNED_HOLDINGS BEFXN BFFAM BGNUA BKEBE BPEOZ CBEJK CHZPO IEGSK IJVOP M43 OCL RIE RIL RIO RNS |
| ID | FETCH-LOGICAL-i214t-6e7ce8d3ad911d4fa89e5d6027bae1829c11d90418f9b576286baccb2e9fc7a93 |
| IEDL.DBID | RIE |
| ISICitedReferencesCount | 113 |
| ISICitedReferencesURI | http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=000510006100059&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| IngestDate | Wed Aug 27 02:44:51 EDT 2025 |
| IsDoiOpenAccess | false |
| IsOpenAccess | true |
| IsPeerReviewed | false |
| IsScholarly | true |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-i214t-6e7ce8d3ad911d4fa89e5d6027bae1829c11d90418f9b576286baccb2e9fc7a93 |
| OpenAccessLink | https://ieeexplore.ieee.org/ielx7/8826229/8835208/08835389.pdf |
| PageCount | 15 |
| ParticipantIDs | ieee_primary_8835389 |
| PublicationCentury | 2000 |
| PublicationDate | 2019-May |
| PublicationDateYYYYMMDD | 2019-05-01 |
| PublicationDate_xml | – month: 05 year: 2019 text: 2019-May |
| PublicationDecade | 2010 |
| PublicationTitle | Proceedings - IEEE Symposium on Security and Privacy |
| PublicationTitleAbbrev | SP |
| PublicationYear | 2019 |
| Publisher | IEEE |
| Publisher_xml | – name: IEEE |
| SSID | ssj0020394 |
| Score | 2.493929 |
| Snippet | Control-Flow Hijacking attacks are the dominant attack vector against C/C++ programs. Control-Flow Integrity (CFI) solutions mitigate these attacks on the... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 985 |
| SubjectTerms | C++ languages control-flow-hijacking control-flow-integrity language-based-security Metadata Optimization Payloads Registers return-oriented-programming Security shadow-stacks Software |
| Title | SoK: Shining Light on Shadow Stacks |
| URI | https://ieeexplore.ieee.org/document/8835389 |
| WOSCitedRecordID | wos000510006100059&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1LSwMxEB7a4sFT1VZ8s6BHY7tJNg-vYhEspVCF3koes1iEXelD_77Jdm09eDGnMDmESUhmvmRmPoAbjVlqvbVEWJURzrwmRgpBMhmaoY5xV7GWDOVopKZTPW7A7TYXBhGr4DO8i93qL9-Xbh2fynoquAvBwDahKaXY5GptwVWfab6rodmbjGPYVqxF2Y_lRH4xp1SGY9D-35QH0N1l4CXjrW05hAYWR9D-oWBI6hPZgetJ-XyfTN4qmodkGJF2UhZBYHz5lQRP0r0vu_A6eHx5eCI17wGZ05SviEDpUHlmfLiJPM-NCivqRQCQ1mDAA9oFse7zVOXaBrxAlbDGOUtR504azY6hVZQFnkDCXOqpcTIMMU6NMhkidSnmWnpmeXoKnajz7GNT2mJWq3v2t_gc9uOibuL9LqC1WqzxEvbc52q-XFxV-_EN7V-L7g |
| linkProvider | IEEE |
| linkToHtml | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1LSwMxEB5qFfRUtRXfLujR1d0ku0m8iqXStRRaobeSxywWYVf60L9vsq2tBy_mFCaHMAnJzJfMzAdwIzGJtdU6TLVIQkatDBVP0zDhriliKDMVa0nGez0xGsl-DW7XuTCIWAWf4Z3vVn_5tjQL_1R2L5y74AzsFmwnjJFoma21hlcRlWxTRfN-0PeBW74aZeQLivziTqlMR7vxv0n3obXJwQv6a-tyADUsDqHxQ8IQrM5kE64HZfchGLxVRA9B5rF2UBZOoGz5FThf0rzPWvDafho-dsIV80E4ITGbhylyg8JSZd1dZFmuhFtTmzoIqRU6RCCNE8uIxSKX2iEGIlKtjNEEZW64kvQI6kVZ4DEE1MSWKMPdEGVECZUgEhNjLrmlmsUn0PQ6jz-WxS3GK3VP_xZfwW5n-JKNs-de9wz2_AIvo__OoT6fLvACdsznfDKbXlZ78w1oK481 |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=Proceedings+-+IEEE+Symposium+on+Security+and+Privacy&rft.atitle=SoK%3A+Shining+Light+on+Shadow+Stacks&rft.au=Burow%2C+Nathan&rft.au=Zhang%2C+Xinping&rft.au=Payer%2C+Mathias&rft.date=2019-05-01&rft.pub=IEEE&rft.eissn=2375-1207&rft.spage=985&rft.epage=999&rft_id=info:doi/10.1109%2FSP.2019.00076&rft.externalDocID=8835389 |