SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by...
34
SoK: Shining Light on Shadow Stacks Nathan Burow, Xinping Zhang, Mathias Payer
Transcript of SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by...
![Page 1: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/1.jpg)
SoK: Shining Light on Shadow Stacks
NathanBurow,XinpingZhang,MathiasPayer
![Page 2: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/2.jpg)
Control-Flow Hijacking (CFH)
• Microsoft:70%ofbugsarememorycorruptions
• ControlandDataPlanesareinterleaved
• MemorycorruptionàControl-FlowHijacking
2Data CodePointer
![Page 3: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/3.jpg)
Control-Flow Hijacking (CFH)
• Microsoft:70%ofbugsarememorycorruptions
• ControlandDataPlanesareinterleaved
• MemorycorruptionàControl-FlowHijacking
3Data CodePointer
![Page 4: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/4.jpg)
Forward Edge
• Functionpointers;virtualcalls
• Control-FlowIntegrity(CFI)–staticallycalculatestargetsets
4
![Page 5: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/5.jpg)
Forward Edge
• Functionpointers;virtualcalls
• Control-FlowIntegrity(CFI)–staticallycalculatestargetsets
5
fptr()
![Page 6: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/6.jpg)
Forward Edge
• Functionpointers;virtualcalls
• Control-FlowIntegrity(CFI)–staticallycalculatestargetsets
6
fptr()
![Page 7: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/7.jpg)
Backward Edge
• ReturnInstructions• DoesCFIstyleanalysiswork?
7
![Page 8: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/8.jpg)
Backward Edge
• ReturnInstructions• DoesCFIstyleanalysiswork?
8
ret
![Page 9: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/9.jpg)
Backward Edge
• ReturnInstructions• DoesCFIstyleanalysiswork?
9
NO
![Page 10: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/10.jpg)
Backward Edge
• CFIstyletargetsetsincludeeverycallsiteforthefunction
• Targetsetsaretoolargetoprovidemeaningfulprotection
10
Securityrequiresintegrityforreturnaddresses!
![Page 11: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/11.jpg)
CFH Mitigation Today
• SeminalCFIpaperbyAbadiet.al.calledforshadowstack
• SeeBurowetalCSUR2017[1]
• DeployedversionsbyMicrosoft/Googleonlycoverforwardedge
11
Noequallystrongdefenseforbackwardedge!
[1]Burowet.al.“Control-flowintegrity:Precision,security,andperformance.”CSUR2017.
![Page 12: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/12.jpg)
Shadow Stacks
• Separatereturnaddressesfromdataplane
• Provideintegrityprotectionforreturnaddresses
• Performantandhighlycompatible
12
NeedtodeployShadowStackwithCFI!
![Page 13: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/13.jpg)
Control-Flow Hijacking Illustrated ProgramStack
ReturnAddress
StackCanary
Array
Pointer
13
![Page 14: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/14.jpg)
Control-Flow Hijacking Illustrated ProgramStack
ReturnAddress
StackCanary
Array
Pointer
14
![Page 15: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/15.jpg)
Control-Flow Hijacking Illustrated ProgramStack
ReturnAddress
StackCanary
Array
Pointer
15
![Page 16: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/16.jpg)
Control-Flow Hijacking Illustrated ProgramStack
ReturnAddress
StackCanary
Array
Pointer
16
![Page 17: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/17.jpg)
Control-Flow Hijacking Illustrated ProgramStack
ReturnAddress
StackCanary
Array
Pointer
17
![Page 18: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/18.jpg)
Control-Flow Hijacking Illustrated ProgramStack
ROPPointer
StackCanary
Array
Pointer
18
![Page 19: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/19.jpg)
What is a Shadow Stack?
⋮
foo()
bar()
ReturnAddress
ReturnAddress
ProgramStack ShadowStack
ReturnAddress
⋮ReturnAddress
19
![Page 20: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/20.jpg)
Shadow Stack Defense ProgramStack
ROPPointer
StackCanary
Array
Pointer
ShadowRA
ShadowStack
20
![Page 21: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/21.jpg)
Shadow Stack Defense ProgramStack
ROPPointer
StackCanary
Array
Pointer
ShadowRA
ShadowStack
21
![Page 22: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/22.jpg)
Shadow Stack Defense ProgramStack
ROPPointer
StackCanary
Array
Pointer
ShadowRA
ShadowStack
❌
22
![Page 23: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/23.jpg)
Advantages of Shadow Stacks
• Knowatruntimewhatfunctionyouwerecalledfrom
• Dynamicdefense–doesNOTrelyonstaticanalysis
• Separatescodeanddataplanesforbackwardedges
23
Fullyprecisebackwardedgeprotection!
![Page 24: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/24.jpg)
Shadow Stack Design Space
24
[1]T.H.Dang,P.Maniatis,andD.Wagner,“Theperformancecostofshadowstacksandstackcanaries,”inAsiaCCS’15[2]T.-c.ChiuehandF.-H.Hsu,“Rad:Acompile-timesolutiontobufferoverflowattacks,”inICDCS’01[3]L.Davi,A.-R.Sadeghi,andM.Winandy,“Ropdefender:Adetectiontooltodefendagainstreturn-orientedprogrammingattacks,”inAsiaCCS’11
[1] [2],[3]
Stack Stack
Shadow Stack
8MB
8MB
constant
Direct Mapping
Stack Stack
Shadow Stack
8MB
Indirect Mapping
Grows on demand
![Page 25: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/25.jpg)
Recommended Shadow Stack
• Indirectmapping
• Useageneralpurposeregisterforshadowstackpointer
25
Optimalperformanceandhighcompatibility!
![Page 26: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/26.jpg)
Recommended Mapping
• IndirectMapping
• Asperformantasdirectmapping
• Minimizesmemoryoverhead
26
Fastestmappinghaslowestmemoryoverhead!
![Page 27: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/27.jpg)
Recommended Encoding
• Usegeneralpurpose(GP)registerforshadowstackpointer
• Doesnotincreaseregisterpressure
• Significantoptimizationforshadowstacks
27
Dedicatingaregistertotheshadowstackpointerisaneffectiveoptimization!
![Page 28: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/28.jpg)
Compatibility of Recommended Shadow Stack
• Threading:fullysupported.GPregistersarethreadlocal
• StackUnwinding:provideinstrumentedsetjmp/longjmp
• UnprotectedCode:saveandrestoreshadowstackpointer
28
Supportallapplicationsandincrementaldeployment!
![Page 29: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/29.jpg)
Intra-Process Memory Isolation
• ShadowStacksplitscodeanddataplanes
• Enablesintegrityenforcementbyisolatingreturnaddresses
29
ShadowStacksenablecodepointerintegrityforreturnaddresses!
![Page 30: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/30.jpg)
Intra-Process Memory Isolation
• Softwarebasedrandomizationdefensearedefeasible
• IntelMPXusesboundschecksforisolation,moderateperformance
• IntelMPKchangespermissionsofpages,slowperformance
30
Noneofthesearefullysatisfactory.Taggedarchitecturesareapromisingnewapproach.
![Page 31: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/31.jpg)
SPEC CPU2006 Performance Evaluation
31
ShadowStack
GeometricMean Max Min
Direct 5.78% 38.68% 0.00%
Recommended 3.65% 9.70% 0.00%
![Page 32: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/32.jpg)
SPEC CPU2006 Performance Evaluation
32
ShadowStack
GeometricMean Max Min
Direct 5.78% 38.68% 0.00%
Recommended 3.65% 9.70% 0.00%
![Page 33: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/33.jpg)
SPEC CPU2006 – Integrity Enforcement
33
IntegrityScheme
GeometricMean Max Min
Randomization 4.31% 13.68% 0.00%
MPX 12.12% 33.02% 2.47%
MPK 61.18% 419.81% 0.00%
![Page 34: SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge 11 No equally strong defense for backward](https://reader042.fdocuments.in/reader042/viewer/2022040809/5e4dd85ff41c7e53bf581ac3/html5/page/34.jpg)
Conclusion
• Stackremainsvulnerabletocodereuseattacks
• Needtoseparatereturnaddressesfromdataplane
• Recommendacompact,registerbasedshadowstackfordeployment
34
ShadowStacks+CFI=practicalCFHmitigation
https://github.com/HexHive/ShadowStack
