Control-Flow Hijacking attacks are the dominant attack vector against C/C++ programs. Control-Flow Integrity (CFI) solutions mitigate these attacks on the forward edge, i.e., indirect calls through function pointers and virtual calls. Protecting the backward edge is left to stack canaries, which are easily bypassed through information leaks. Shadow Stacks are a fully precise mechanism for protecting backwards edges, and should be deployed with CFI mitigations. We present a comprehensive analysis of all possible shadow stack mechanisms along three axes: performance, compatibility, and security. For performance comparisons we use SPEC CPU2006, while security and compatibility are qualitatively analyzed. Based on our study, we renew calls for a shadow stack design that leverages a dedicated register, resulting in low performance overhead, and minimal memory overhead, but sacrifices compatibility. We present case studies of our implementation of such a design, Shadesmar, on Phoronix and Apache to demonstrate the feasibility of dedicating a general purpose register to a security monitor on modern architectures, and Shadesmar's deployability. Our comprehensive analysis, including detailed case studies for our novel design, allows compiler designers and practitioners to select the correct shadow stack design for different usage scenarios. Shadow stacks belong to the class of defense mechanisms that require metadata about the program's state to enforce their defense policies. Protecting this metadata for deployed mitigations requires in-process isolation of a segment of the virtual address space. Prior work on defenses in this class has relied on information hiding to protect metadata. We show that stronger guarantees are possible by repurposing two new Intel x86 extensions for memory protection (MPX), and page table control (MPK). Building on our isolation efforts with MPX and MPK, we present the design requirements for a dedicated hardware mechanism to support intra-process memory isolation, and discuss how such a mechanism can empower the next wave of highly precise software security mitigations that rely on partially isolated information in a process.
展开▼
机译:控制流程劫持攻击是针对C / C ++程序的主导攻击矢量。控制流程完整性(CFI)解决方案减轻前向边的攻击,即通过函数指针和虚拟呼叫进行间接呼叫。保护落后边缘留给堆叠公民,这很容易通过信息泄漏绕过。阴影叠层是保护向后边缘的完全精确的机制,应使用CFI缓解部署。我们对三个轴的所有可能的阴影堆机制进行了全面的分析:性能,兼容性和安全性。为了进行性能比较,我们使用规范CPU2006,而安全性和兼容性是定性分析的。基于我们的研究,我们续订呼叫播放专用寄存器的影子堆叠设计,从而导致性能低,内存最小的内存开销,但牺牲兼容性。我们呈现了我们对这种设计,Shadesmar的实施的实例研究,在Phoronix和Apache上,以展示在现代架构上致力于对安全监视器的通用注册和Shadesmar的部伍的可行性。我们的全面分析,包括我们的新设计的详细案例研究,允许编译器设计人员和从业者选择不同的使用场景的正确阴影堆栈设计。阴影堆栈属于需要元数据的防御机制,这些辩护机制是对计划的状态来强制执行其防御政策。保护此元数据进行部署的缓解需要逐步隔离虚拟地址空间的段。在本课程中的辩护前的工作依赖于隐藏保护元数据的信息。我们表明,通过重新修复用于存储器保护(MPX)的两个新英特尔X86扩展,以及页表控制(MPK),可以实现更强的保证。建立在我们的孤立工作与MPX和MPK,我们展示了专用硬件机制的设计要求,以支持流程内存隔离,并讨论这种机制如何能够授权依赖部分隔离的高度精确软件安全缓解的下一波。进程中的信息。
展开▼
