ABSTRACT
Control flow defenses against ROP either use strict, expensive, but strong protection against redirected RET instructions with shadow stacks, or much faster but weaker protections without. In this work we study the inherent overheads of shadow stack schemes. We find that the overhead is roughly 10% for a traditional shadow stack. We then design a new scheme, the parallel shadow stack, and show that its performance cost is significantly less: 3.5%. Our measurements suggest it will not be easy to improve performance on current x86 processors further, due to inherent costs associated with RET and memory load/store instructions. We conclude with a discussion of the design decisions in our shadow stack instrumentation, and possible lighter-weight alternatives.
- Itanium(R) Processor Family Performance Advantages: Register Stack Architecture. https://software.intel.com/en-us/articles/itaniumr-processor-family-performance-advantages-register-stack-architecture, October 2008.Google Scholar
- SPEC CPU2006: Read Me First. http://www.spec.org/cpu2006/Docs/readme1st.html, September 2011.Google Scholar
- Software Optimization Guide for AMD Family 15h Processors. January 2012.Google Scholar
- ARM Information Center. http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0439d/Chdedegj.html, September 2013.Google Scholar
- Emerging 'Stack Pivoting' Exploits Bypass Common Security. http://blogs.mcafee.com/mcafee-labs/emerging-stack-pivoting-exploits-bypass-common-security, May 2013.Google Scholar
- Intel(R) 64 and IA-32 Architectures Optimization Reference Manual. March 2014.Google Scholar
- M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Control-flow integrity principles, implementations, and applications. TISSEC, 2009. Google ScholarDigital Library
- A. Baratloo, N. Singh, and T. K. Tsai. Transparent Run-Time Defense Against Stack-Smashing Attacks. In USENIX ATC, 2000. Google ScholarDigital Library
- S. Bhatkar, D. C. DuVarney, and R. Sekar. Efficient Techniques for Comprehensive Protection from Memory Error Exploits. In USENIX Security, 2005. Google ScholarDigital Library
- S. Bird, A. Phansalkar, L. K. John, A. Mericas, and R. Indukuru. Performance Characterization of SPEC CPU Benchmarks on Intel's Core Microarchitecture Based Processor. In SPEC Benchmark Workshop, 2007.Google Scholar
- T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang. Jump-oriented programming: a new class of code-reuse attack. In CCS, 2011. Google ScholarDigital Library
- M. Budiu, Ú. Erlingsson, and M. Abadi. Architectural support for software-based protection. In Proceedings of the 1st workshop on Architectural and system support for improving software dependability, 2006. Google ScholarDigital Library
- N. Carlini and D. Wagner. ROP is still dangerous: Breaking modern defenses. In USENIX Security, 2014. Google ScholarDigital Library
- S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In CCS, 2010. Google ScholarDigital Library
- T.-c. Chiueh and F.-H. Hsu. RAD: A compile-time solution to buffer over flow attacks. In ICDCS, 2001. Google ScholarDigital Library
- M. L. Corliss, E. C. Lewis, and A. Roth. Using DISE to protect return addresses from attack. ACM SIGARCH Computer Architecture News, 2005. Google ScholarDigital Library
- C. Dahn and S. Mancoridis. Using program transformation to secure C programs against buffer over flows. In 20th Working Conference on Reverse Engineering, 2003. Google ScholarDigital Library
- L. Davi, P. Koeberl, and A.-R. Sadeghi. Hardware-Assisted Fine-Grained Control-Flow Integrity: Towards Efficient Protection of Embedded Systems Against Software Exploitation. In DAC, 2014. Google ScholarDigital Library
- L. Davi, D. Lehmann, A.-R. Sadeghi, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In USENIX Security, 2014. Google ScholarDigital Library
- L. Davi, A.-R. Sadeghi, and M. Winandy. ROPdefender: A detection tool to defend against return-oriented programming attacks. In CCS, 2011. Google ScholarDigital Library
- Ú. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. C. Necula. XFI: Software guards for system address spaces. In OSDI, 2006. Google ScholarDigital Library
- A. Fog. The microarchitecture of Intel, AMD and VIA CPUs. www.agner.org/optimize/microarchitecture.pdf, August 2014.Google Scholar
- M. Frantzen and M. Shuey. StackGhost: Hardware Facilitated Stack Protection. In USENIX Security, 2001. Google ScholarDigital Library
- E. Göktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In IEEE S&P, 2014.Google Scholar
- S. Gupta, P. Pratap, H. Saran, and S. Arun-Kumar. Dynamic code instrumentation to detect and recover from return address corruption. In International workshop on Dynamic systems analysis, 2006. Google ScholarDigital Library
- K. Inoue. Lock and Unlock: A Data Management Algorithm for A Security-Aware Cache. In ICECS, 2006.Google ScholarCross Ref
- C. Isen and L. John. On the object orientedness of c++ programs in spec cpu 2006. In SPEC Benchmark Workshop, 2008.Google Scholar
- W.-F. Kao and S. F. Wu. Light-weight Hardware Return Address and Stack Frame Tracking to Prevent Function Return Address Attack. In International Conference on Computational Science and Engineering. Google ScholarDigital Library
- V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-Pointer Integrity. In OSDI, 2014. Google ScholarDigital Library
- R. B. Lee, D. K. Karig, J. P. McGregor, and Z. Shi. Enlisting hardware architecture to thwart malicious code injection. In Security in Pervasive Computing. 2004.Google ScholarCross Ref
- A. J. Mashtizadeh, A. Bittau, D. Mazières, and D. Boneh. Cryptographically enforced control flow integrity. In arXiv:1408.1451, 2014.Google Scholar
- H. Massalin. Superoptimizer: a look at the smallest program. In ACM SIGPLAN Notices, 1987. Google ScholarDigital Library
- S. McCamant and G. Morrisett. Evaluating SFI for a CISC Architecture. In USENIX Security, 2006. Google ScholarDigital Library
- T. Mytkowicz, A. Diwan, M. Hauswirth, and P. F. Sweeney. Producing wrong data without doing anything obviously wrong! In ASPLOS, 2009. Google ScholarDigital Library
- D. Nebenzahl, M. Sagiv, and A. Wool. Install-time vaccination of Windows executables to defend against stack smashing attacks. Dependable and Secure Computing, IEEE Transactions on, 2006. Google ScholarDigital Library
- A. One. Smashing the stack for fun and profit. Phrack magazine, 1996.Google Scholar
- P. O'Sullivan, K. Anand, A. Kotha, M. Smithson, R. Barua, and A. D. Keromytis. Retrofitting security in COTS software with binary rewriting. In Future Challenges in Security and Privacy for Academia and Industry. 2011.Google ScholarCross Ref
- H. Ozdoganoglu, T. Vijaykumar, C. E. Brodley, B. A. Kuperman, and A. Jalote. SmashGuard: A hardware solution to prevent security attacks on the function return address. Computers, IEEE Transactions on, 2006. Google ScholarDigital Library
- S.-H. Park, Y.-J. Han, S.-J. Hong, H.-C. Kim, and T.-M. Chung. The dynamic buffer over flow detection and prevention tool for windows executables using binary rewriting. In The 9th International Conference on Advanced Communication Technology, 2007.Google ScholarCross Ref
- M. Payer and T. R. Gross. Fine-grained user-space security through virtualization. In VEE, 2011. Google ScholarDigital Library
- M. Payer, T. Hartmann, and T. R. Gross. Safe loading-a foundation for secure execution of untrusted programs. In IEEE S&P, 2012. Google ScholarDigital Library
- M. Prasad and T.-c. Chiueh. A Binary Rewriting Defense Against Stack based Buffer Over flow Attacks. In USENIX ATC, 2003.Google Scholar
- K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov. AddressSanitizer: A Fast Address Sanity Checker. In USENIX ATC, 2012. Google ScholarDigital Library
- H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In CCS, 2007. Google ScholarDigital Library
- S. Sidiroglou, G. Giovanidis, and A. D. Keromytis. A dynamic mechanism for recovering from buffer over flow attacks. In Information security. 2005. Google ScholarDigital Library
- S. Sinnadurai, Q. Zhao, and W. fai Wong. Transparent runtime shadow stack: Protection against malicious return address modifications. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.120.5702&rep=rep1&type=pdf, 2008.Google Scholar
- L. Szekeres, M. Payer, T. Wei, and D. Song. SoK: Eternal war in memory. In IEEE S&P, 2013. Google ScholarDigital Library
- C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Ú. Erlingsson, L. Lozano, and G. Pike. Enforcing forward-edge control-flow integrity in gcc & llvm. In USENIX Security, 2014. Google ScholarDigital Library
- Vendicator. Stack Shield. http://www.angelfire.com/sk/stackshield/info.html, 2000.Google Scholar
- P. Wagle and C. Cowan. Stackguard: Simple stack smash protection for gcc. In GCC Developers Summit, 2003.Google Scholar
- R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. In SOSP, 1993. Google ScholarDigital Library
- J. Xu, Z. Kalbarczyk, S. Patel, and R. K. Iyer. Architecture support for defending against buffer over flow attacks. In Workshop on Evaluating and Architecting Systems for Dependability, 2002.Google Scholar
- C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control flow integrity and randomization for binary executables. In IEEE S&P, 2013. Google ScholarDigital Library
- M. Zhang, R. Qiao, N. Hasabnis, and R. Sekar. A platform for secure static binary instrumentation. In VEE, 2014. Google ScholarDigital Library
- M. Zhang and R. Sekar. Control Flow Integrity for COTS Binaries. In USENIX Security, 2013. Google ScholarDigital Library
Index Terms
- The Performance Cost of Shadow Stacks and Stack Canaries
Recommendations
Practical Software-Based Shadow Stacks on x86-64
Control-Flow Integrity (CFI) techniques focus often on protecting forward edges and assume that backward edges are protected by shadow stacks. However, software-based shadow stacks that can provide performance, security, and compatibility are still hard ...
Buddy Stacks: Protecting Return Addresses with Efficient Thread-Local Storage and Runtime Re-Randomization
Shadow stacks play an important role in protecting return addresses to mitigate ROP attacks. Parallel shadow stacks, which shadow the call stack of each thread at the same constant offset for all threads, are known not to support multi-threading well. On ...
PESC: A Per System-Call Stack Canary Design for Linux Kernel
CODASPY '20: Proceedings of the Tenth ACM Conference on Data and Application Security and PrivacyStack canary is the most widely deployed defense technique against stack buffer overflow attacks. However, since its proposition, the design of stack canary has very few improvements during the past 20 years, making it vulnerable to new and ...
Comments