sok shining light on shadow stacks
play

SoK: Shining Light on Shadow Stacks Nathan Burow , Xinping Zhang, - PowerPoint PPT Presentation

Sep 22, 2023 •221 likes •576 views

SoK: Shining Light on Shadow Stacks Nathan Burow , Xinping Zhang, Mathias Payer Control-Flow Hijacking (CFH) Microsoft: 70% of bugs are memory corruptions Control and Data Planes are interleaved Memory corruption Control-Flow

  1. SoK: Shining Light on Shadow Stacks Nathan Burow , Xinping Zhang, Mathias Payer

  2. Control-Flow Hijacking (CFH) • Microsoft: 70% of bugs are memory corruptions • Control and Data Planes are interleaved • Memory corruption à Control-Flow Hijacking Data Code Pointer 2

  3. Control-Flow Hijacking (CFH) • Microsoft: 70% of bugs are memory corruptions • Control and Data Planes are interleaved • Memory corruption à Control-Flow Hijacking Data Code Pointer 3

  4. Forward Edge • Function pointers; virtual calls • Control-Flow Integrity (CFI) – statically calculates target sets 4

  5. Forward Edge • Function pointers; virtual calls • Control-Flow Integrity (CFI) – statically calculates target sets fptr() 5

  6. Forward Edge • Function pointers; virtual calls • Control-Flow Integrity (CFI) – statically calculates target sets fptr() 6

  7. Backward Edge • Return Instructions • Does CFI style analysis work? 7

  8. Backward Edge • Return Instructions • Does CFI style analysis work? ret 8

  9. Backward Edge • Return Instructions • Does CFI style analysis work? NO 9

  10. Backward Edge • CFI style target sets include every call site for the function • Target sets are too large to provide meaningful protection Security requires integrity for return addresses! 10

  11. CFH Mitigation Today • Seminal CFI paper by Abadi et. al. called for shadow stack • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge No equally strong defense for backward edge! [1] Burow et. al. “Control-flow integrity: Precision, security, and performance.” CSUR 2017. 11

  12. Shadow Stacks • Separate return addresses from data plane • Provide integrity protection for return addresses • Performant and highly compatible Need to deploy Shadow Stack with CFI! 12

  13. Control-Flow Hijacking Illustrated Program Stack Return Address Stack Canary Pointer Array 13

  14. Control-Flow Hijacking Illustrated Program Stack Return Address Stack Canary Pointer Array 14

  15. Control-Flow Hijacking Illustrated Program Stack Return Address Stack Canary Pointer Array 15

  16. Control-Flow Hijacking Illustrated Program Stack Return Address Stack Canary Pointer Array 16

  17. Control-Flow Hijacking Illustrated Program Stack Return Address Stack Canary Pointer Array 17

  18. Control-Flow Hijacking Illustrated Program Stack ROP Pointer Stack Canary Pointer Array 18

  19. What is a Shadow Stack? Program Stack Shadow Stack Return Address Return Address foo() ⋮ Return Address ⋮ Return Address bar() 19

  20. Shadow Stack Defense Shadow Stack Program Stack Shadow RA ROP Pointer Stack Canary Pointer Array 20

  21. Shadow Stack Defense Shadow Stack Program Stack Shadow RA ROP Pointer Stack Canary Pointer Array 21

  22. Shadow Stack Defense Shadow Stack Program Stack ❌ Shadow RA ROP Pointer Stack Canary Pointer Array 22

  23. Advantages of Shadow Stacks • Know at runtime what function you were called from • Dynamic defense – does NOT rely on static analysis • Separates code and data planes for backward edges Fully precise backward edge protection! 23

  24. Shadow Stack Design Space [1] [2],[3] Direct Mapping Indirect Mapping Grows on Shadow demand Stack Shadow 8MB Stack constant 8MB Stack Stack 8MB Stack Stack [1] T. H. Dang, P. Maniatis, and D. Wagner, “The performance cost of shadow stacks and stack canaries,” in AsiaCCS ’15 [2] T.-c. Chiueh and F.-H. Hsu, “Rad: A compile-time solution to buffer overflow attacks,” in ICDCS ’01 [3] L. Davi, A.-R. Sadeghi, and M. Winandy, “Ropdefender: A detection tool to defend against return-oriented programming attacks,” in AsiaCCS’11 24

  25. Recommended Shadow Stack • Indirect mapping • Use a general purpose register for shadow stack pointer Optimal performance and high compatibility! 25

  26. Recommended Mapping • Indirect Mapping • As performant as direct mapping • Minimizes memory overhead Fastest mapping has lowest memory overhead! 26

  27. Recommended Encoding • Use general purpose (GP) register for shadow stack pointer • Does not increase register pressure • Significant optimization for shadow stacks Dedicating a register to the shadow stack pointer is an effective optimization! 27

  28. Compatibility of Recommended Shadow Stack • Threading: fully supported. GP registers are thread local • Stack Unwinding: provide instrumented setjmp / longjmp • Unprotected Code: save and restore shadow stack pointer Support all applications and incremental deployment! 28

  29. Intra-Process Memory Isolation • Shadow Stack splits code and data planes • Enables integrity enforcement by isolating return addresses Shadow Stacks enable code pointer integrity for return addresses! 29

  30. Intra-Process Memory Isolation • Software based randomization defense are defeasible • Intel MPX uses bounds checks for isolation, moderate performance • Intel MPK changes permissions of pages, slow performance None of these are fully satisfactory. Tagged architectures are a promising new approach. 30

  31. SPEC CPU2006 Performance Evaluation Shadow Geometric Max Min Stack Mean Direct 5.78% 38.68% 0.00% Recommended 3.65% 9.70% 0.00% 31

  32. SPEC CPU2006 Performance Evaluation Shadow Geometric Max Min Stack Mean Direct 5.78% 38.68% 0.00% Recommended 3.65% 9.70% 0.00% 32

  33. SPEC CPU2006 – Integrity Enforcement Integrity Geometric Max Min Scheme Mean Randomization 4.31% 13.68% 0.00% MPX 12.12% 33.02% 2.47% MPK 61.18% 419.81% 0.00% 33

  34. Conclusion • Stack remains vulnerable to code reuse attacks • Need to separate return addresses from data plane • Recommend a compact, register based shadow stack for deployment Shadow Stacks + CFI = practical CFH mitigation https://github.com/HexHive/ShadowStack 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is albedo? The proportion of incident light (light shining on something) that is

What is albedo? The proportion of incident light (light shining on something) that is

What is albedo? The proportion of incident light (light shining on something) that is reflected by a surface, or more simply, how reflective something is. Albedo is therefore a percent or fraction. Albedo of 60% (or 0.6) means that

397 views • 16 slides
What matter(s) around galaxies? Shining a bright light on the cold phase of the CGM Cantalupo et

What matter(s) around galaxies? Shining a bright light on the cold phase of the CGM Cantalupo et

What matter(s) around galaxies? Shining a bright light on the cold phase of the CGM Cantalupo et al., Nature , 2014 Sebastiano Cantalupo ETH Zurich In collaboration with: MUSE GTO Team (ETH, CRAL, Leiden, AIP, Toulouse, Gottingen) + Cosmic

368 views • 24 slides
Homes Within Reach Shining HUDs Light on Housing Solutions U.S. Department of Housing and

Homes Within Reach Shining HUDs Light on Housing Solutions U.S. Department of Housing and

Homes Within Reach Shining HUDs Light on Housing Solutions U.S. Department of Housing and Urban Development Joseph J. DeFelice, Region III Regional Administrator December 6, 2017 1 The Secretarys th three ee Rs Reimagine the

532 views • 24 slides
Shining light in a black box Rethinking graduate medical education to meet North Carolinas

Shining light in a black box Rethinking graduate medical education to meet North Carolinas

Shining light in a black box Rethinking graduate medical education to meet North Carolinas health care workforce needs Noah Wohlert, MD Department of Family Medicine The University of North Carolina at Chapel Hill Goals of this talk

380 views • 35 slides
Acceleration Data Structures for Ray Tracing Most slides are taken from Fredo Durand Shadows

Acceleration Data Structures for Ray Tracing Most slides are taken from Fredo Durand Shadows

Acceleration Data Structures for Ray Tracing Most slides are taken from Fredo Durand Shadows one shadow ray per intersection per point light source no shadow rays one shadow ray Soft Shadows multiple shadow rays to sample area light

660 views • 52 slides
Shining Light on Neutrino Interactions Andrzej Szelc (University of Manchester) A short history

Shining Light on Neutrino Interactions Andrzej Szelc (University of Manchester) A short history

Shining Light on Neutrino Interactions Andrzej Szelc (University of Manchester) A short history of Neutrinos The neutrino was proposed in 1930 by W. Pauli to save energy conservation in b -decays. It was discovered by Reines and F.

1.09k views • 60 slides
Making the Invisible Visible: Shining the Light on Energy Efficiency in the Real Estate Market

Making the Invisible Visible: Shining the Light on Energy Efficiency in the Real Estate Market

Making the Invisible Visible: Shining the Light on Energy Efficiency in the Real Estate Market Charlie Taylor November 7 th , 2016 About NEEP Mission Accelerate energy efficiency as an essential part of demand-side solutions that enable a

471 views • 8 slides
Shining a Light on the Dark Side: How the Global Financial Crisis Exposed the Dark Side of

Shining a Light on the Dark Side: How the Global Financial Crisis Exposed the Dark Side of

Shining a Light on the Dark Side: How the Global Financial Crisis Exposed the Dark Side of Leadership Dr Holly Andrews Worcester Business School Global Business Conference Sibenik 2015 Overview What is the issue? Introducing psychopathy

372 views • 18 slides
T-MAN LIGHTING TOWER SHINING A LIGHT ON SAFETY Brian Edwards Plant and Asset Operations Manager

T-MAN LIGHTING TOWER SHINING A LIGHT ON SAFETY Brian Edwards Plant and Asset Operations Manager

T-MAN LIGHTING TOWER SHINING A LIGHT ON SAFETY Brian Edwards Plant and Asset Operations Manager Australia and Pacific BACKGROUND At any given time up to 60 separate 240V lighting plants can be operational on an active mine site. Each lighting

433 views • 15 slides
Algorithmen fr die Echtzeitgrafik Algorithmen fr die Echtzeitgrafik Daniel Scherzer

Algorithmen fr die Echtzeitgrafik Algorithmen fr die Echtzeitgrafik Daniel Scherzer

Algorithmen fr die Echtzeitgrafik Algorithmen fr die Echtzeitgrafik Daniel Scherzer scherzer@cg.tuwien.ac.at LBI Virtual Archeology 2 Hard Shadows Shadow Mapping: First Pass Light Shadow map Render scene from light-view and save

1.44k views • 109 slides
the shadow knows Shadow Algorithms Who knows what evil lurks in the hearts of men? Why

the shadow knows Shadow Algorithms Who knows what evil lurks in the hearts of men? Why

the shadow knows Shadow Algorithms Who knows what evil lurks in the hearts of men? Why shadows? Anatomy of a shadow Increase realism Umbra Area completely obscured by object Shows relationships between objects. Hard

445 views • 5 slides
Light & Shadow in the Deep: Strong Absorption Systems Probed by a Deep NB Imaging Rhythm

Light & Shadow in the Deep: Strong Absorption Systems Probed by a Deep NB Imaging Rhythm

Light & Shadow in the Deep: Strong Absorption Systems Probed by a Deep NB Imaging Rhythm Shimakawa NAOJ Fellow (Subaru Telescope) 2 Topics (Summary) 2min-: Narrow-Band Absorbers (NBAs) What are NBAs? Dual NBAH Emitters at

467 views • 11 slides
Cryptanalysis Results on Spook Bringing Full Shadow-512 to the Light Patrick Derbez 1 , Paul Huynh

Cryptanalysis Results on Spook Bringing Full Shadow-512 to the Light Patrick Derbez 1 , Paul Huynh

Cryptanalysis Results on Spook Bringing Full Shadow-512 to the Light Patrick Derbez 1 , Paul Huynh 2 , Virginie Lallemand 2 , Mara Naya-Plasencia 3 , Lo Perrin 3 , Andr Schrottenloher 3 1 Universit de Rennes, CNRS, Irisa - Rennes, France

717 views • 44 slides
ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow

ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow

ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow stacks page-level protection RELRO protect global ofgset table guard pages around memory allocations/etc. start ASLR choose random addresses

1.1k views • 73 slides
Sorting with Pop Stacks Stacks Pop stacks 1-Pop-stack sortability 2-Pop-stack sortability

Sorting with Pop Stacks Stacks Pop stacks 1-Pop-stack sortability 2-Pop-stack sortability

Sorting with Pop Stacks Lara Pudwell Sorting with Pop Stacks Stacks Pop stacks 1-Pop-stack sortability 2-Pop-stack sortability Polyominoes on a helix Lara Pudwell Width 2 Width 3 faculty.valpo.edu/lpudwell Wrapping up joint work with

825 views • 34 slides
SHADOW PINES Town Of Penfield 3100 Atlantic Avenue Penfield, New York 14526 SHADOW PINES

SHADOW PINES Town Of Penfield 3100 Atlantic Avenue Penfield, New York 14526 SHADOW PINES

SHADOW PINES Town Of Penfield 3100 Atlantic Avenue Penfield, New York 14526 SHADOW PINES OVERVIEW REVIEW OF SHADOW LAKES/ SHADOW PINES COMMUNITY ADVISORY REPORT (SEPT. 2016) SHADOW PINES LAND USE ADVISORY COMMITTEE FINAL

249 views • 11 slides
The Vision Clean, safe, affordable and virtually limitless solar energy 24/7 08-10 September

The Vision Clean, safe, affordable and virtually limitless solar energy 24/7 08-10 September

International Symposium on Solar Energy from Space The Vision & Challenge of Solar Power Satellites Abundant & Affordable Solar Power on Earth & in Space 08 September 2009 John C. Mankins Co-Chair, International Academy of

351 views • 14 slides
GCTC STUDENT PARENT SUPPORT SYMPOSIUM BENEFITS ACCESS FOR COLLEGE COMPLETION An initiative

GCTC STUDENT PARENT SUPPORT SYMPOSIUM BENEFITS ACCESS FOR COLLEGE COMPLETION An initiative

Your foundation begins here GCTC STUDENT PARENT SUPPORT SYMPOSIUM BENEFITS ACCESS FOR COLLEGE COMPLETION An initiative geared toward increasing access to public benefits for community college students Supporting colleges developing

617 views • 18 slides
Collaboration Framework Ikuru Iwata (Subaru Telescope) 2018/01/15 JST ULTIMATE-Subaru

Collaboration Framework Ikuru Iwata (Subaru Telescope) 2018/01/15 JST ULTIMATE-Subaru

Collaboration Framework Ikuru Iwata (Subaru Telescope) 2018/01/15 JST ULTIMATE-Subaru Collaboration Meeting Photo by Enrico Sacchetti 2 Outline Instrument Development Collaboration Subaru Telescope Partnership Desirable Future

353 views • 10 slides
Sermsang Power Corporation Public Company Limited Results of The Year 2017 2 March 2018 1

Sermsang Power Corporation Public Company Limited Results of The Year 2017 2 March 2018 1

Sermsang Power Corporation Public Company Limited Results of The Year 2017 2 March 2018 1 Disclaimer The information contained in this presentation is strictly confidential and is provided by Sermsang Power Corporation Public Company Limited

479 views • 37 slides
High Power, Low Cost SOFC Stacks For Robust And Reliable

High Power, Low Cost SOFC Stacks For Robust And Reliable

High Power, Low Cost SOFC Stacks For Robust And Reliable Distributed Genera?on Redox Cube 25 kW, natural gas, Award No. DE-FE0026189 sta6onary

239 views • 21 slides
Hybrid Power Systems Scott L. Swartz, Ph.D. (P.I.) Nexceris LLC (Lewis Center, Ohio) Project

Hybrid Power Systems Scott L. Swartz, Ph.D. (P.I.) Nexceris LLC (Lewis Center, Ohio) Project

Advanced SOFC Stack for Hybrid Power Systems Scott L. Swartz, Ph.D. (P.I.) Nexceris LLC (Lewis Center, Ohio) Project Vision Nexceris will develop a pressure tolerant and ultra high efficiency solid oxide fuel cell stack (10-kW scale) that

185 views • 18 slides
RE- IMAGINING THE WOMENS MARKET Narelle Stack April 2018 Freedom Product/Experience

RE- IMAGINING THE WOMENS MARKET Narelle Stack April 2018 Freedom Product/Experience

RE- IMAGINING THE WOMENS MARKET Narelle Stack April 2018 Freedom Product/Experience Design & Planning Product/Experience Design & Planning Product/Experience Design & Planning What We Want Value My Time Make the

114 views • 9 slides
signs of the Convention using the nesting and stacking technique Antonio Lucas-Alba , Ana

signs of the Convention using the nesting and stacking technique Antonio Lucas-Alba , Ana

On the design of the G-section signs of the Convention using the nesting and stacking technique Antonio Lucas-Alba , Ana Hernando, M Teresa Blanch Universidad de Zaragoza, Spain Philip N. Johnson-Laird Professor at Princeton

517 views • 27 slides

More recommend