SoK: Shining Light on Shadow Stacks

Burow, Nathan; Zhang, Xinping; Payer, Mathias

doi:10.1109/sp.2019.00076

Cited by 98 publications

(61 citation statements)

References 43 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, we expect the performance cost to be negligible, as cases where the compiler needs to utilize all callee-saved registers (X19-X29) are infrequent. Note that reserving exclusive use of a register has also been proposed for shadow stacks on the x86 architecture [10], even though x86 has fewer general purpose registers compared to 64-bit ARM processors. Unlike shadow stacks, ACS in general can avoid consuming additional registers by using LR to store auth (variant 1, Section 6.2) or aret (variant 2, Section 6.2).…”

Section: Function Call Instrumentationmentioning

confidence: 99%

“…Although shadow stacks provide precise protection, traditional shadow stacks incur significant performance overhead and lead to false positives for programming constructs that cause mismatches between calls and returns (C++ exceptions with stack unwinding, setjmp/ longjmp). Recent shadow designs demonstrate that performance can be increased by either leveraging a parallel shadow stack [15], or using a dedicated register for shadow stack addressing [10]. However, in these schemes the shadow stack still resides in the same address space as the target application, and can be compromised if the shadow stack location is known to A.…”

Section: Related Workmentioning

confidence: 99%

“…Integrity of the shadow stack is maintained by making it inaccessible to the adversary either by randomizing its location in memory or by using specialized hardware [25]. Recent software-based shadow stacks show reasonable performance [10], but are vulnerable to an adversary capable of exploiting memory vulnerabilities to infer the location of the shadow stack. To date, only hardware-assisted shadow stacks, such as Intel CET [25], achieve negligible overhead without any security trade-offs.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Authenticated Call Stack

Liljestrand

Nyman

Ekberg

et al. 2019

Proceedings of the 56th Annual Design Automation Conference 2019

View full text Add to dashboard Cite

A popular run-time attack technique is to compromise the controlflow integrity of a program by modifying function return addresses on the stack. So far, shadow stacks have proven to be essential for comprehensively preventing return address manipulation. Shadow stacks record return addresses in integrity-protected memory, secured with hardware-assistance or software access control. Software shadow stacks incur high overheads or trade off security for efficiency. Hardware-assisted shadow stacks are efficient and secure, but require the deployment of special-purpose hardware.We present authenticated call stack (ACS), an approach that uses chained message authentication codes (MACs) to achieve comparable security without requiring additional hardware support. We present PACStack, a realization of ACS on the ARMv8.3-A architecture, using its general purpose hardware mechanism for pointer authentication (PA). Via a rigorous security analysis, we show that PACStack achieves security comparable to hardware-assisted shadow stacks without requiring dedicated hardware. We demonstrate that PACStack's performance overhead is negligible (<1%). 1 https://gcc.gnu.org/onlinedocs/gcc/AArch64-Function-Attributes.html 2 https://reviews.llvm.org/D49793 1

show abstract

Section: Function Call Instrumentationmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Authenticated Call Stack

Liljestrand

Nyman

Ekberg

et al. 2019

Proceedings of the 56th Annual Design Automation Conference 2019

View full text Add to dashboard Cite

show abstract

“…Overheads of below 5%, and significantly lower than in equivalent software techniques [2, 18,19], can be achieved for coarse-grained flow control integrity with 2 GPEs on average, and with 4 for a fine-grained technique. Shadow stack requires 6, a custom load counter 4, and Rowhammer prevention 6.…”

Section: Discussionmentioning

confidence: 99%

“…However, as all memory events must be observed, instead of just loads, overheads are typically higher, though 8 GPEs are still sufficient for overheads below 5%. Comparison to Software Techniques Figure 5 shows the performance of the Guardian Council versus the best performing equivalent software-only techniques we could find in the literature [18,19,52]. This is not a direct comparison as numbers are reported for x86 systems, and the software techniques feature complex optimisations not featured in our Guardian Council implementations.…”

Section: Overheadsmentioning

confidence: 99%

The Guardian Council

Ainsworth

Jones

2020

Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Syste

View full text Add to dashboard Cite

Systems security is becoming more challenging in the face of untrusted programs and system users. Safeguards against attacks currently in use, such as buffer overflows, control-flow integrity, side channels and malware, are limited. Software protection schemes, while flexible, are often too expensive, and hardware schemes, while fast, are too constrained or out-of-date to be practical.We demonstrate the best of both worlds with the Guardian Council, a novel parallel architecture to enforce a wide range of highly customisable and diverse security policies. We leverage heterogeneity and parallelism in the design of our system to perform security enforcement for a large highperformance core on a set of small microcontroller-sized cores. These Guardian Processing Elements (GPEs) are many orders of magnitude more efficient than conventional outof-order superscalar processors, bringing high-performance security at very low power and area overheads. Alongside these highly parallel cores we provide fixed-function logging and communication units, and a powerful programming model, as part of an architecture designed for security.Evaluation on a range of existing hardware and software protection mechanisms, reimplemented on the Guardian Council, demonstrates the flexibility of our approach with negligible overheads, out-performing prior work in the literature. For instance, 4 GPEs can provide forward control-flow integrity with 0% overhead, while 6 GPEs can provide a full shadow stack at only 2%.

show abstract