BYPASSING CLANG'S SAFESTACK FOR FUN AND PROFIT presented at BlackHatEU 2016

by Herbert Bos, Georgios Portokalidis, Elias Athanasopoulos, Cristiano Giuffrida, Enes Göktaş, Robert Gawlik, Benjamin Kollenda, Aggelos Oikonomopoulos,

Summary : SafeStack, a new compiler feature currently only available in clang[1] and underway for GCC[2], protects return addresses on the stack from being overwritten through memory vulnerabilities. SafeStack (-fsanitize=safe-stack) is intended to replace the stack cookies (-fstack-protector). It separates the data and the return addresses on the original stack, and puts the former in the unsafe stack and the latter in the safe stack. We investigate the implementation of the safe stack to see if there are still ways to get to it and overwrite the return addresses.
In this presentation we show implementation issues that allow an attacker to get to the safe stack. In addition, we demonstrate two new fundamental strategies to efficiently find the safe stack, namely through Thread Spraying and allocation oracles. Thread Spraying is a technique to force the application to spawn many safe stacks and to reduce the entropy of the safe stacks significantly. With allocation oracles we can determine the sizes of the unallocated holes in the address space and as such the distance from the known regions to the hidden regions.
Sources
[1] http://clang.llvm.org/docs/SafeStack.html
[2] https://gcc.gnu.org/ml/gcc/2016-04/msg00083.html