The Performance Cost of Shadow Stacks and Stack Canaries

Dang, Thurston H. Y.; Maniatis, Petros; Wagner, David

doi:10.1145/2714576.2714635

Cited by 165 publications

(114 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…[12]. We have also studied those security systems that could succumb to an APT, as SEH, SafeSEH, SEHOP, Stack Cookies, ASLR, PIE or NX (see [13][14][15][16][17][18][19]). …”

Section: Methodsmentioning

confidence: 99%

Expert knowledge and data analysis for detecting advanced persistent threats

et al. 2017

View full text Add to dashboard Cite

Critical Infrastructures in public administration would be compromised by Advanced Persistent Threats (APT) which today constitute one of the most sophisticated ways of stealing information. This paper presents an effective, learning based tool that uses inductive techniques to analyze the information provided by firewall log files in an IT infrastructure, and detect suspicious activity in order to mark it as a potential APT. The experiments have been accomplished mixing real and synthetic data traffic to represent different proportions of normal and anomalous activity.

show abstract

“…[12]. We have also studied those security systems that could succumb to an APT, as SEH, SafeSEH, SEHOP, Stack Cookies, ASLR, PIE or NX (see [13][14][15][16][17][18][19]). …”

Section: Methodsmentioning

confidence: 99%

Expert knowledge and data analysis for detecting advanced persistent threats

et al. 2017

View full text Add to dashboard Cite

show abstract

“…Forward-edge CFI protects forward branches, such as indirect calls through function pointers or virtual tables, which could be hijacked by an attacker. Backward-edge CFI protects from corruption of return addresses, for example via a shadow stack [12]. One of the main characterizing factors of a CFI approach is its granularity.…”

Section: A Control Flow Integritymentioning

confidence: 99%

“…Statically determining the set of valid return locations is not very precise, as a function can be called from many different places. For this reason, backward-edge CFI implementations often make use of a shadow stack [12], which resides in a protected memory area and stores a copy of the real return address. On returns, the return address fetched from the real stack can be compared to the one from the shadow stack and the program can detect whether it was tampered with.…”

Section: A Control Flow Integritymentioning

confidence: 99%

See 1 more Smart Citation

Back To The Epilogue: Evading Control Flow Guard via Unaligned Targets

Biondo¹,

Conti²,

Lain³

2018

Proceedings 2018 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

In this paper, we show a significant design vulnerability in Windows CFG and propose a specific attack to exploit it: the Back to The Epilogue (BATE) attack. We show that with BATE an attacker can completely evade from CFG and transfer control to any location, thus obtaining arbitrary code execution. BATE leverages the tradeoff of CFG between precision, performance, and backwards compatibility; in particular, the latter one motivates 16-byte address granularity in some circumstances. This vulnerability, inherent to the CFG design, allows us to call portions of code (gadgets) that should not be allowed, and that we can chain together to escape CFG. These gadgets are very common: we ran a thorough evaluation of Windows system libraries, and found many high value targets -exploitable gadgets in code loaded by almost all the applications on 32-bit systems and by web browsers on 64-bit. We also demonstrate the real-world feasibility of our attack by using it to build a remote code execution exploit against the Microsoft Edge web browser running on 64-bit Windows 10. Finally, we discuss possible countermeasures to BATE.

show abstract

“…VTV [38], a C ++ aware forward-CFI implementation, which can thus defend against COOP, incurs an average geometric mean overhead of 4.0% on the SPEC CPU2006 C ++ benchmarks using comparable optimization techniques. Dang et al [12] report that a protected traditional shadow stack, necessary to defend against an attacker with arbitrary memory read/write capabilities, incurs an average overhead of 9.7% on SPEC CPU2006. Thus, the comparable overhead to fully protect against both traditional ROP attacks and COOP attacks using state-of-the-art CFI is 13.7%, in contrast to our average total overhead of 8.4%.…”

Section: Performance Evaluationmentioning

confidence: 99%

It's a TRaP

Crane

Volckaert

Schuster

et al. 2015

Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Code-reuse attacks continue to evolve and remain a severe threat to modern software. Recent research has proposed a variety of defenses with differing security, efficiency, and practicality characteristics. Whereas the majority of these solutions focus on specific code-reuse attack variants such as return-oriented programming (ROP), other attack variants that reuse whole functions, such as the classic return-into-libc, have received much less attention. Mitigating function-level code reuse is highly challenging because one needs to distinguish a legitimate call to a function from an illegitimate one. In fact, the recent counterfeit object-oriented programming (COOP) attack demonstrated that the majority of code-reuse defenses can be bypassed by reusing dynamically bound functions, i.e., functions that are accessed through global offset tables and virtual function tables, respectively.In this paper, we first significantly improve and simplify the COOP attack. Based on a strong adversarial model, we then present the design and implementation of a comprehensive code-reuse defense which is resilient against reuse of dynamically-bound functions. In particular, we introduce two novel defense techniques: (i) a practical technique to randomize the layout of tables containing code pointers resilient to memory disclosure and (ii) booby trap insertion to mitigate the threat of brute-force attacks iterating over the randomized tables. Booby traps serve the dual purpose of preventing fault-analysis side channels and ensuring that each table has sufficiently many possible permutations. Our detailed evaluation demonstrates that our approach is secure, effective, and practical. We prevent realistic, COOP-style attacks against the Chromium web browser and report an average overhead of 1.1% on the SPEC CPU2006 benchmarks.

show abstract

The Performance Cost of Shadow Stacks and Stack Canaries

Cited by 165 publications

References 33 publications

Expert knowledge and data analysis for detecting advanced persistent threats

Expert knowledge and data analysis for detecting advanced persistent threats

Back To The Epilogue: Evading Control Flow Guard via Unaligned Targets

It's a TRaP

Contact Info

Product

Resources

About