Shining Light On Shadow Stacks

by   Nathan Burow, et al.

Control-Flow Hijacking attacks are the dominant attack vector to compromise systems. Control-Flow Integrity (CFI) solutions mitigate these attacks on the forward edge, i.e., indirect calls through function pointers and virtual calls. Protecting the backward edge is left to stack canaries, which are easily bypassed through information leaks. Shadow Stacks are a fully precise mechanism for protecting backwards edges, and should be deployed with CFI mitigations. We present a comprehensive analysis of all possible shadow stack mechanisms along three axes: performance, compatibility, and security. Based on our study, we propose a new shadow stack design called Shadesmar that leverages a dedicated register, resulting in low performance overhead, and minimal memory overhead. We present case studies of Shadesmar on Phoronix and Apache to demonstrate the feasibility of dedicating a general purpose register to a security monitor on modern architectures, and Shadesmar's deployability. Isolating the shadow stack is critical for security, and requires in process isolation of a segment of the virtual address space. We achieve this isolation by repurposing two new Intel x86 extensions for memory protection (MPX), and page table control (MPK). Building on our isolation efforts with MPX and MPK, we present the design requirements for a dedicated hardware mechanism to support intra-process memory isolation, and show how such a mechanism can empower the next wave of highly precise software security mitigations that rely on partially isolated information in a process.


page 1

page 2

page 3

page 4


PACStack: an Authenticated Call Stack

A popular run-time attack technique is to compromise the control-flow in...

Domain Page-Table Isolation

Modern applications often consist of different security domains that req...

SPECCFI: Mitigating Spectre Attacks using CFI Informed Speculation

Spectre attacks and their many subsequent variants are a new vulnerabili...

Protecting the stack with PACed canaries

Stack canaries remain a widely deployed defense against memory corruptio...

PINPOINT: Efficient and Effective Resource Isolation for Mobile Security and Privacy

Virtualization is frequently used to isolate untrusted processes and con...

CToMP: A Cycle-task-oriented Memory Protection Scheme for Unmanned Systems

Memory corruption attacks (MCAs) refer to malicious behaviors of system ...

FineIBT: Fine-grain Control-flow Enforcement with Indirect Branch Tracking

We present the design, implementation, and evaluation of FineIBT: a CFI ...

Please sign up or login with your details

Forgot password? Click here to reset