Control-Flow Hijacking attacks are the dominant attack vector against C/C++ programs. Control-Flow Integrity (CFI) solutions mitigate these attacks on the forward edge, i.e., indirect calls through function pointers and virtual calls. Protecting the backward edge is left to stack canaries, which are easily bypassed through information leaks. Shadow Stacks are a fully precise mechanism for protecting backwards edges, and should be deployed with CFI mitigations. We present a comprehensive analysis of all possible shadow stack mechanisms along three axes: performance, compatibility, and security. For performance comparisons we use SPEC CPU2006, while security and compatibility are qualitatively analyzed. Based on our study, we renew calls for a shadow stack design that leverages a dedicated register, resulting in low performance overhead, and minimal memory overhead, but sacrifices compatibility. We present case studies of our implementation of such a design, Shadesmar, on Phoronix and Apache to demonstrate the feasibility of dedicating a general purpose register to a security monitor on modern architectures, and Shadesmar's deployability. Our comprehensive analysis, including detailed case studies for our novel design, allows compiler designers and practitioners to select the correct shadow stack design for different usage scenarios. Shadow stacks belong to the class of defense mechanisms that require metadata about the program's state to enforce their defense policies. Protecting this metadata for deployed mitigations requires in-process isolation of a segment of the virtual address space. Prior work on defenses in this class has relied on information hiding to protect metadata. We show that stronger guarantees are possible by repurposing two new Intel x86 extensions for memory protection (MPX), and page table control (MPK). Building on our isolation efforts with MPX and MPK, we present the design requirements for a dedicated hardware mechanism to support intra-process memory isolation, and discuss how such a mechanism can empower the next wave of highly precise software security mitigations that rely on partially isolated information in a process.
展开▼
机译:控制流劫持攻击是针对C / C ++程序的主要攻击媒介。控制流完整性(CFI)解决方案可缓解这些对前沿的攻击,即通过函数指针和虚拟调用进行的间接调用。保护后沿留给堆叠的金丝雀,很容易通过信息泄漏而绕开。阴影堆栈是用于保护向后边缘的完全精确的机制,应与CFI缓解措施一起部署。我们从三个方面对所有可能的影子堆栈机制进行了全面分析:性能,兼容性和安全性。为了进行性能比较,我们使用SPEC CPU2006,同时对安全性和兼容性进行了定性分析。根据我们的研究,我们再次呼吁利用专用寄存器的影子堆栈设计,从而导致较低的性能开销和最小的内存开销,但却牺牲了兼容性。我们对在Phoronix和Apache上实现这种设计Shadesmar的案例进行案例研究,以证明将通用寄存器专用于现代体系结构的安全监视器的可行性以及Shadesmar的可部署性。我们的综合分析(包括为我们的新颖设计提供的详细案例研究)使编译器设计人员和从业人员可以为不同的使用场景选择正确的影子堆栈设计。影子堆栈属于防御机制类,该机制需要有关程序状态的元数据来实施其防御策略。为部署的缓解措施保护此元数据需要对虚拟地址空间的一部分进行进程内隔离。此类中有关防御的先前工作依赖于信息隐藏来保护元数据。通过使用两个新的Intel x86内存保护扩展(MPX)和页表控制(MPK),我们证明了更强有力的保证是可能的。基于我们对MPX和MPK的隔离工作,我们提出了一种专用硬件机制的设计要求,以支持进程内内存隔离,并讨论了这种机制如何能够实现依赖部分隔离的下一波高度精确的软件安全缓解措施一个过程中的信息。
展开▼
