2019 IEEE Symposium on Security and Privacy (SP) 2019
DOI: 10.1109/sp.2019.00076
|View full text |Cite
|
Sign up to set email alerts
|

SoK: Shining Light on Shadow Stacks

Abstract: Control-Flow Hijacking attacks are the dominant attack vector against C/C++ programs. Control-Flow Integrity (CFI) solutions mitigate these attacks on the forward edge, i.e., indirect calls through function pointers and virtual calls. Protecting the backward edge is left to stack canaries, which are easily bypassed through information leaks. Shadow Stacks are a fully precise mechanism for protecting backwards edges, and should be deployed with CFI mitigations.We present a comprehensive analysis of all possible… Show more

Help me understand this report
View preprint versions

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

1
55
0

Year Published

2019
2019
2024
2024

Publication Types

Select...
5
2

Relationship

0
7

Authors

Journals

citations
Cited by 107 publications
(61 citation statements)
references
References 43 publications
1
55
0
Order By: Relevance
“…However, we expect the performance cost to be negligible, as cases where the compiler needs to utilize all callee-saved registers (X19-X29) are infrequent. Note that reserving exclusive use of a register has also been proposed for shadow stacks on the x86 architecture [10], even though x86 has fewer general purpose registers compared to 64-bit ARM processors. Unlike shadow stacks, ACS in general can avoid consuming additional registers by using LR to store auth (variant 1, Section 6.2) or aret (variant 2, Section 6.2).…”
Section: Function Call Instrumentationmentioning
confidence: 99%
See 2 more Smart Citations
“…However, we expect the performance cost to be negligible, as cases where the compiler needs to utilize all callee-saved registers (X19-X29) are infrequent. Note that reserving exclusive use of a register has also been proposed for shadow stacks on the x86 architecture [10], even though x86 has fewer general purpose registers compared to 64-bit ARM processors. Unlike shadow stacks, ACS in general can avoid consuming additional registers by using LR to store auth (variant 1, Section 6.2) or aret (variant 2, Section 6.2).…”
Section: Function Call Instrumentationmentioning
confidence: 99%
“…Although shadow stacks provide precise protection, traditional shadow stacks incur significant performance overhead and lead to false positives for programming constructs that cause mismatches between calls and returns (C++ exceptions with stack unwinding, setjmp/ longjmp). Recent shadow designs demonstrate that performance can be increased by either leveraging a parallel shadow stack [15], or using a dedicated register for shadow stack addressing [10]. However, in these schemes the shadow stack still resides in the same address space as the target application, and can be compromised if the shadow stack location is known to A.…”
Section: Related Workmentioning
confidence: 99%
See 1 more Smart Citation
“…Overheads of below 5%, and significantly lower than in equivalent software techniques [2, 18,19], can be achieved for coarse-grained flow control integrity with 2 GPEs on average, and with 4 for a fine-grained technique. Shadow stack requires 6, a custom load counter 4, and Rowhammer prevention 6.…”
Section: Discussionmentioning
confidence: 99%
“…However, as all memory events must be observed, instead of just loads, overheads are typically higher, though 8 GPEs are still sufficient for overheads below 5%. Comparison to Software Techniques Figure 5 shows the performance of the Guardian Council versus the best performing equivalent software-only techniques we could find in the literature [18,19,52]. This is not a direct comparison as numbers are reported for x86 systems, and the software techniques feature complex optimisations not featured in our Guardian Council implementations.…”
Section: Overheadsmentioning
confidence: 99%