SoK: Shining Light on Shadow Stacks presented at IEEESymposium 2019

by Mathias Payer, Nathan Burow, Xinping Zhang,


Summary : Control-Flow Hijacking attacks are the dominantattack vector against C/C++ programs. Control-Flow Integrity(CFI) solutions mitigate these attacks on the forward edge,i.e., indirect calls through function pointers and virtual calls.Protecting the backward edge is left to stack canaries, which areeasily bypassed through information leaks. Shadow Stacks area fully precise mechanism for protecting backwards edges, andshould be deployed with CFI mitigations.We present a comprehensive analysis of all possible shadowstack mechanisms along three axes: performance, compatibil-ity, and security. For performance comparisons we use SPECCPU2006, while security and compatibility are qualitativelyanalyzed. Based on our study, we renew calls for a shadowstack design that leverages a dedicated register, resulting inlow performance overhead, and minimal memory overhead,but sacrifices compatibility. We present case studies of ourimplementation of such a design, Shadesmar, on Phoronix andApache to demonstrate the feasibility of dedicating a generalpurpose register to a security monitor on modern architectures,and Shadesmar’s deployability. Our comprehensive analysis,including detailed case studies for our novel design, allowscompiler designers and practitioners to select the correct shadowstack design for different usage scenarios.Shadow stacks belong to the class of defense mechanismsthat require metadata about the program’s state to enforcetheir defense policies. Protecting this metadata for deployedmitigations requires in-process isolation of a segment of thevirtual address space. Prior work on defenses in this class hasrelied on information hiding to protect metadata. We show thatstronger guarantees are possible by repurposing two new Intelx86 extensions for memory protection (MPX), and page tablecontrol (MPK). Building on our isolation efforts with MPXand MPK, we present the design requirements for a dedicatedhardware mechanism to support intra-process memory isolation,and discuss how such a mechanism can empower the next wave ofhighly precise software security mitigations that rely on partiallyisolated information in a process.