research-article

The Performance Cost of Shadow Stacks and Stack Canaries

Authors:
Thurston H.Y. Dang

University of California, Berkeley, Berkeley, CA, USA

University of California, Berkeley, Berkeley, CA, USA
View Profile

,
Petros Maniatis

Google Inc., Mountain View, CA, USA

Google Inc., Mountain View, CA, USA
View Profile

,
David Wagner

University of California, Berkeley, Berkeley, CA, USA

University of California, Berkeley, Berkeley, CA, USA
View Profile

ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications SecurityApril 2015Pages 555–566https://doi.org/10.1145/2714576.2714635

Published:14 April 2015Publication History

ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security

Pages 555–566

ABSTRACT

Control flow defenses against ROP either use strict, expensive, but strong protection against redirected RET instructions with shadow stacks, or much faster but weaker protections without. In this work we study the inherent overheads of shadow stack schemes. We find that the overhead is roughly 10% for a traditional shadow stack. We then design a new scheme, the parallel shadow stack, and show that its performance cost is significantly less: 3.5%. Our measurements suggest it will not be easy to improve performance on current x86 processors further, due to inherent costs associated with RET and memory load/store instructions. We conclude with a discussion of the design decisions in our shadow stack instrumentation, and possible lighter-weight alternatives.

References

Itanium(R) Processor Family Performance Advantages: Register Stack Architecture. https://software.intel.com/en-us/articles/itaniumr-processor-family-performance-advantages-register-stack-architecture, October 2008.Google Scholar
SPEC CPU2006: Read Me First. http://www.spec.org/cpu2006/Docs/readme1st.html, September 2011.Google Scholar
Software Optimization Guide for AMD Family 15h Processors. January 2012.Google Scholar
ARM Information Center. http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0439d/Chdedegj.html, September 2013.Google Scholar
Emerging 'Stack Pivoting' Exploits Bypass Common Security. http://blogs.mcafee.com/mcafee-labs/emerging-stack-pivoting-exploits-bypass-common-security, May 2013.Google Scholar
Intel(R) 64 and IA-32 Architectures Optimization Reference Manual. March 2014.Google Scholar
M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Control-flow integrity principles, implementations, and applications. TISSEC, 2009. Google ScholarDigital Library
A. Baratloo, N. Singh, and T. K. Tsai. Transparent Run-Time Defense Against Stack-Smashing Attacks. In USENIX ATC, 2000. Google ScholarDigital Library
S. Bhatkar, D. C. DuVarney, and R. Sekar. Efficient Techniques for Comprehensive Protection from Memory Error Exploits. In USENIX Security, 2005. Google ScholarDigital Library
S. Bird, A. Phansalkar, L. K. John, A. Mericas, and R. Indukuru. Performance Characterization of SPEC CPU Benchmarks on Intel's Core Microarchitecture Based Processor. In SPEC Benchmark Workshop, 2007.Google Scholar
T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang. Jump-oriented programming: a new class of code-reuse attack. In CCS, 2011. Google ScholarDigital Library
M. Budiu, Ú. Erlingsson, and M. Abadi. Architectural support for software-based protection. In Proceedings of the 1st workshop on Architectural and system support for improving software dependability, 2006. Google ScholarDigital Library
N. Carlini and D. Wagner. ROP is still dangerous: Breaking modern defenses. In USENIX Security, 2014. Google ScholarDigital Library
S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In CCS, 2010. Google ScholarDigital Library
T.-c. Chiueh and F.-H. Hsu. RAD: A compile-time solution to buffer over flow attacks. In ICDCS, 2001. Google ScholarDigital Library
M. L. Corliss, E. C. Lewis, and A. Roth. Using DISE to protect return addresses from attack. ACM SIGARCH Computer Architecture News, 2005. Google ScholarDigital Library
C. Dahn and S. Mancoridis. Using program transformation to secure C programs against buffer over flows. In 20th Working Conference on Reverse Engineering, 2003. Google ScholarDigital Library
L. Davi, P. Koeberl, and A.-R. Sadeghi. Hardware-Assisted Fine-Grained Control-Flow Integrity: Towards Efficient Protection of Embedded Systems Against Software Exploitation. In DAC, 2014. Google ScholarDigital Library
L. Davi, D. Lehmann, A.-R. Sadeghi, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In USENIX Security, 2014. Google ScholarDigital Library
L. Davi, A.-R. Sadeghi, and M. Winandy. ROPdefender: A detection tool to defend against return-oriented programming attacks. In CCS, 2011. Google ScholarDigital Library
Ú. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. C. Necula. XFI: Software guards for system address spaces. In OSDI, 2006. Google ScholarDigital Library
A. Fog. The microarchitecture of Intel, AMD and VIA CPUs. www.agner.org/optimize/microarchitecture.pdf, August 2014.Google Scholar
M. Frantzen and M. Shuey. StackGhost: Hardware Facilitated Stack Protection. In USENIX Security, 2001. Google ScholarDigital Library
E. Göktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In IEEE S&P, 2014.Google Scholar
S. Gupta, P. Pratap, H. Saran, and S. Arun-Kumar. Dynamic code instrumentation to detect and recover from return address corruption. In International workshop on Dynamic systems analysis, 2006. Google ScholarDigital Library
K. Inoue. Lock and Unlock: A Data Management Algorithm for A Security-Aware Cache. In ICECS, 2006.Google ScholarCross Ref
C. Isen and L. John. On the object orientedness of c++ programs in spec cpu 2006. In SPEC Benchmark Workshop, 2008.Google Scholar
W.-F. Kao and S. F. Wu. Light-weight Hardware Return Address and Stack Frame Tracking to Prevent Function Return Address Attack. In International Conference on Computational Science and Engineering. Google ScholarDigital Library
V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-Pointer Integrity. In OSDI, 2014. Google ScholarDigital Library
R. B. Lee, D. K. Karig, J. P. McGregor, and Z. Shi. Enlisting hardware architecture to thwart malicious code injection. In Security in Pervasive Computing. 2004.Google ScholarCross Ref
A. J. Mashtizadeh, A. Bittau, D. Mazières, and D. Boneh. Cryptographically enforced control flow integrity. In arXiv:1408.1451, 2014.Google Scholar
H. Massalin. Superoptimizer: a look at the smallest program. In ACM SIGPLAN Notices, 1987. Google ScholarDigital Library
S. McCamant and G. Morrisett. Evaluating SFI for a CISC Architecture. In USENIX Security, 2006. Google ScholarDigital Library
T. Mytkowicz, A. Diwan, M. Hauswirth, and P. F. Sweeney. Producing wrong data without doing anything obviously wrong! In ASPLOS, 2009. Google ScholarDigital Library
D. Nebenzahl, M. Sagiv, and A. Wool. Install-time vaccination of Windows executables to defend against stack smashing attacks. Dependable and Secure Computing, IEEE Transactions on, 2006. Google ScholarDigital Library
A. One. Smashing the stack for fun and profit. Phrack magazine, 1996.Google Scholar
P. O'Sullivan, K. Anand, A. Kotha, M. Smithson, R. Barua, and A. D. Keromytis. Retrofitting security in COTS software with binary rewriting. In Future Challenges in Security and Privacy for Academia and Industry. 2011.Google ScholarCross Ref
H. Ozdoganoglu, T. Vijaykumar, C. E. Brodley, B. A. Kuperman, and A. Jalote. SmashGuard: A hardware solution to prevent security attacks on the function return address. Computers, IEEE Transactions on, 2006. Google ScholarDigital Library
S.-H. Park, Y.-J. Han, S.-J. Hong, H.-C. Kim, and T.-M. Chung. The dynamic buffer over flow detection and prevention tool for windows executables using binary rewriting. In The 9th International Conference on Advanced Communication Technology, 2007.Google ScholarCross Ref
M. Payer and T. R. Gross. Fine-grained user-space security through virtualization. In VEE, 2011. Google ScholarDigital Library
M. Payer, T. Hartmann, and T. R. Gross. Safe loading-a foundation for secure execution of untrusted programs. In IEEE S&P, 2012. Google ScholarDigital Library
M. Prasad and T.-c. Chiueh. A Binary Rewriting Defense Against Stack based Buffer Over flow Attacks. In USENIX ATC, 2003.Google Scholar
K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov. AddressSanitizer: A Fast Address Sanity Checker. In USENIX ATC, 2012. Google ScholarDigital Library
H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In CCS, 2007. Google ScholarDigital Library
S. Sidiroglou, G. Giovanidis, and A. D. Keromytis. A dynamic mechanism for recovering from buffer over flow attacks. In Information security. 2005. Google ScholarDigital Library
S. Sinnadurai, Q. Zhao, and W. fai Wong. Transparent runtime shadow stack: Protection against malicious return address modifications. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.120.5702&rep=rep1&type=pdf, 2008.Google Scholar
L. Szekeres, M. Payer, T. Wei, and D. Song. SoK: Eternal war in memory. In IEEE S&P, 2013. Google ScholarDigital Library
C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Ú. Erlingsson, L. Lozano, and G. Pike. Enforcing forward-edge control-flow integrity in gcc & llvm. In USENIX Security, 2014. Google ScholarDigital Library
Vendicator. Stack Shield. http://www.angelfire.com/sk/stackshield/info.html, 2000.Google Scholar
P. Wagle and C. Cowan. Stackguard: Simple stack smash protection for gcc. In GCC Developers Summit, 2003.Google Scholar
R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. In SOSP, 1993. Google ScholarDigital Library
J. Xu, Z. Kalbarczyk, S. Patel, and R. K. Iyer. Architecture support for defending against buffer over flow attacks. In Workshop on Evaluating and Architecting Systems for Dependability, 2002.Google Scholar
C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control flow integrity and randomization for binary executables. In IEEE S&P, 2013. Google ScholarDigital Library
M. Zhang, R. Qiao, N. Hasabnis, and R. Sekar. A platform for secure static binary instrumentation. In VEE, 2014. Google ScholarDigital Library
M. Zhang and R. Sekar. Control Flow Integrity for COTS Binaries. In USENIX Security, 2013. Google ScholarDigital Library

Index Terms

The Performance Cost of Shadow Stacks and Stack Canaries
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Practical Software-Based Shadow Stacks on x86-64
Control-Flow Integrity (CFI) techniques focus often on protecting forward edges and assume that backward edges are protected by shadow stacks. However, software-based shadow stacks that can provide performance, security, and compatibility are still hard ...
Read More
Buddy Stacks: Protecting Return Addresses with Efficient Thread-Local Storage and Runtime Re-Randomization
Shadow stacks play an important role in protecting return addresses to mitigate ROP attacks. Parallel shadow stacks, which shadow the call stack of each thread at the same constant offset for all threads, are known not to support multi-threading well. On ...
Read More
PESC: A Per System-Call Stack Canary Design for Linux Kernel
CODASPY '20: Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy

Stack canary is the most widely deployed defense technique against stack buffer overflow attacks. However, since its proposition, the design of stack canary has very few improvements during the past 20 years, making it vulnerable to new and ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security
April 2015
698 pages
ISBN:9781450332453
DOI:10.1145/2714576
General Chairs:
Feng Bao
Huawei Technologies Pte Ltd, Singapore
,
Steven Miller
Singapore Management University, Singapore
,
Program Chairs:
Jianying Zhou
Institute for Infocomm Research, Singapore
,
Gail-Joon Ahn
Arizona State University, USA
Copyright © 2015 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 14 April 2015
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
shadow stack
stack canary
stack cookie
Qualifiers
- research-article
Conference

Acceptance Rates
ASIA CCS '15 Paper Acceptance Rate48of269submissions,18%Overall Acceptance Rate418of2,322submissions,18%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 139
  Total Citations
  View Citations
- 1,141
  Total Downloads
- Downloads (Last 12 months)193
- Downloads (Last 6 weeks)18
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

The Performance Cost of Shadow Stacks and Stack Canaries

ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Practical Software-Based Shadow Stacks on x86-64

Buddy Stacks: Protecting Return Addresses with Efficient Thread-Local Storage and Runtime Re-Randomization

PESC: A Per System-Call Stack Canary Design for Linux Kernel