SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by...
Transcript of SoK: Shining Light on Shadow Stacks · • See Burow et al CSUR 2017[1] • Deployed versions by...
Control-Flow Hijacking (CFH)
• Microsoft:70%ofbugsarememorycorruptions
• ControlandDataPlanesareinterleaved
• MemorycorruptionàControl-FlowHijacking
2Data CodePointer
Control-Flow Hijacking (CFH)
• Microsoft:70%ofbugsarememorycorruptions
• ControlandDataPlanesareinterleaved
• MemorycorruptionàControl-FlowHijacking
3Data CodePointer
Forward Edge
• Functionpointers;virtualcalls
• Control-FlowIntegrity(CFI)–staticallycalculatestargetsets
4
Forward Edge
• Functionpointers;virtualcalls
• Control-FlowIntegrity(CFI)–staticallycalculatestargetsets
5
fptr()
Forward Edge
• Functionpointers;virtualcalls
• Control-FlowIntegrity(CFI)–staticallycalculatestargetsets
6
fptr()
Backward Edge
• CFIstyletargetsetsincludeeverycallsiteforthefunction
• Targetsetsaretoolargetoprovidemeaningfulprotection
10
Securityrequiresintegrityforreturnaddresses!
CFH Mitigation Today
• SeminalCFIpaperbyAbadiet.al.calledforshadowstack
• SeeBurowetalCSUR2017[1]
• DeployedversionsbyMicrosoft/Googleonlycoverforwardedge
11
Noequallystrongdefenseforbackwardedge!
[1]Burowet.al.“Control-flowintegrity:Precision,security,andperformance.”CSUR2017.
Shadow Stacks
• Separatereturnaddressesfromdataplane
• Provideintegrityprotectionforreturnaddresses
• Performantandhighlycompatible
12
NeedtodeployShadowStackwithCFI!
What is a Shadow Stack?
⋮
foo()
bar()
ReturnAddress
ReturnAddress
ProgramStack ShadowStack
ReturnAddress
⋮ReturnAddress
19
Advantages of Shadow Stacks
• Knowatruntimewhatfunctionyouwerecalledfrom
• Dynamicdefense–doesNOTrelyonstaticanalysis
• Separatescodeanddataplanesforbackwardedges
23
Fullyprecisebackwardedgeprotection!
Shadow Stack Design Space
24
[1]T.H.Dang,P.Maniatis,andD.Wagner,“Theperformancecostofshadowstacksandstackcanaries,”inAsiaCCS’15[2]T.-c.ChiuehandF.-H.Hsu,“Rad:Acompile-timesolutiontobufferoverflowattacks,”inICDCS’01[3]L.Davi,A.-R.Sadeghi,andM.Winandy,“Ropdefender:Adetectiontooltodefendagainstreturn-orientedprogrammingattacks,”inAsiaCCS’11
[1] [2],[3]
Stack Stack
Shadow Stack
8MB
8MB
constant
Direct Mapping
Stack Stack
Shadow Stack
8MB
Indirect Mapping
Grows on demand
Recommended Shadow Stack
• Indirectmapping
• Useageneralpurposeregisterforshadowstackpointer
25
Optimalperformanceandhighcompatibility!
Recommended Mapping
• IndirectMapping
• Asperformantasdirectmapping
• Minimizesmemoryoverhead
26
Fastestmappinghaslowestmemoryoverhead!
Recommended Encoding
• Usegeneralpurpose(GP)registerforshadowstackpointer
• Doesnotincreaseregisterpressure
• Significantoptimizationforshadowstacks
27
Dedicatingaregistertotheshadowstackpointerisaneffectiveoptimization!
Compatibility of Recommended Shadow Stack
• Threading:fullysupported.GPregistersarethreadlocal
• StackUnwinding:provideinstrumentedsetjmp/longjmp
• UnprotectedCode:saveandrestoreshadowstackpointer
28
Supportallapplicationsandincrementaldeployment!
Intra-Process Memory Isolation
• ShadowStacksplitscodeanddataplanes
• Enablesintegrityenforcementbyisolatingreturnaddresses
29
ShadowStacksenablecodepointerintegrityforreturnaddresses!
Intra-Process Memory Isolation
• Softwarebasedrandomizationdefensearedefeasible
• IntelMPXusesboundschecksforisolation,moderateperformance
• IntelMPKchangespermissionsofpages,slowperformance
30
Noneofthesearefullysatisfactory.Taggedarchitecturesareapromisingnewapproach.
SPEC CPU2006 Performance Evaluation
31
ShadowStack
GeometricMean Max Min
Direct 5.78% 38.68% 0.00%
Recommended 3.65% 9.70% 0.00%
SPEC CPU2006 Performance Evaluation
32
ShadowStack
GeometricMean Max Min
Direct 5.78% 38.68% 0.00%
Recommended 3.65% 9.70% 0.00%
SPEC CPU2006 – Integrity Enforcement
33
IntegrityScheme
GeometricMean Max Min
Randomization 4.31% 13.68% 0.00%
MPX 12.12% 33.02% 2.47%
MPK 61.18% 419.81% 0.00%