sok shining light on shadow stacks
play

SoK: Shining Light on Shadow Stacks Nathan Burow , Xinping Zhang, - PowerPoint PPT Presentation

Sep 22, 2023 •221 likes •576 views

SoK: Shining Light on Shadow Stacks Nathan Burow , Xinping Zhang, Mathias Payer Control-Flow Hijacking (CFH) Microsoft: 70% of bugs are memory corruptions Control and Data Planes are interleaved Memory corruption Control-Flow

  1. SoK: Shining Light on Shadow Stacks Nathan Burow , Xinping Zhang, Mathias Payer

  2. Control-Flow Hijacking (CFH) • Microsoft: 70% of bugs are memory corruptions • Control and Data Planes are interleaved • Memory corruption à Control-Flow Hijacking Data Code Pointer 2

  3. Control-Flow Hijacking (CFH) • Microsoft: 70% of bugs are memory corruptions • Control and Data Planes are interleaved • Memory corruption à Control-Flow Hijacking Data Code Pointer 3

  4. Forward Edge • Function pointers; virtual calls • Control-Flow Integrity (CFI) – statically calculates target sets 4

  5. Forward Edge • Function pointers; virtual calls • Control-Flow Integrity (CFI) – statically calculates target sets fptr() 5

  6. Forward Edge • Function pointers; virtual calls • Control-Flow Integrity (CFI) – statically calculates target sets fptr() 6

  7. Backward Edge • Return Instructions • Does CFI style analysis work? 7

  8. Backward Edge • Return Instructions • Does CFI style analysis work? ret 8

  9. Backward Edge • Return Instructions • Does CFI style analysis work? NO 9

  10. Backward Edge • CFI style target sets include every call site for the function • Target sets are too large to provide meaningful protection Security requires integrity for return addresses! 10

  11. CFH Mitigation Today • Seminal CFI paper by Abadi et. al. called for shadow stack • See Burow et al CSUR 2017[1] • Deployed versions by Microsoft / Google only cover forward edge No equally strong defense for backward edge! [1] Burow et. al. “Control-flow integrity: Precision, security, and performance.” CSUR 2017. 11

  12. Shadow Stacks • Separate return addresses from data plane • Provide integrity protection for return addresses • Performant and highly compatible Need to deploy Shadow Stack with CFI! 12

  13. Control-Flow Hijacking Illustrated Program Stack Return Address Stack Canary Pointer Array 13

  14. Control-Flow Hijacking Illustrated Program Stack Return Address Stack Canary Pointer Array 14

  15. Control-Flow Hijacking Illustrated Program Stack Return Address Stack Canary Pointer Array 15

  16. Control-Flow Hijacking Illustrated Program Stack Return Address Stack Canary Pointer Array 16

  17. Control-Flow Hijacking Illustrated Program Stack Return Address Stack Canary Pointer Array 17

  18. Control-Flow Hijacking Illustrated Program Stack ROP Pointer Stack Canary Pointer Array 18

  19. What is a Shadow Stack? Program Stack Shadow Stack Return Address Return Address foo() ⋮ Return Address ⋮ Return Address bar() 19

  20. Shadow Stack Defense Shadow Stack Program Stack Shadow RA ROP Pointer Stack Canary Pointer Array 20

  21. Shadow Stack Defense Shadow Stack Program Stack Shadow RA ROP Pointer Stack Canary Pointer Array 21

  22. Shadow Stack Defense Shadow Stack Program Stack ❌ Shadow RA ROP Pointer Stack Canary Pointer Array 22

  23. Advantages of Shadow Stacks • Know at runtime what function you were called from • Dynamic defense – does NOT rely on static analysis • Separates code and data planes for backward edges Fully precise backward edge protection! 23

  24. Shadow Stack Design Space [1] [2],[3] Direct Mapping Indirect Mapping Grows on Shadow demand Stack Shadow 8MB Stack constant 8MB Stack Stack 8MB Stack Stack [1] T. H. Dang, P. Maniatis, and D. Wagner, “The performance cost of shadow stacks and stack canaries,” in AsiaCCS ’15 [2] T.-c. Chiueh and F.-H. Hsu, “Rad: A compile-time solution to buffer overflow attacks,” in ICDCS ’01 [3] L. Davi, A.-R. Sadeghi, and M. Winandy, “Ropdefender: A detection tool to defend against return-oriented programming attacks,” in AsiaCCS’11 24

  25. Recommended Shadow Stack • Indirect mapping • Use a general purpose register for shadow stack pointer Optimal performance and high compatibility! 25

  26. Recommended Mapping • Indirect Mapping • As performant as direct mapping • Minimizes memory overhead Fastest mapping has lowest memory overhead! 26

  27. Recommended Encoding • Use general purpose (GP) register for shadow stack pointer • Does not increase register pressure • Significant optimization for shadow stacks Dedicating a register to the shadow stack pointer is an effective optimization! 27

  28. Compatibility of Recommended Shadow Stack • Threading: fully supported. GP registers are thread local • Stack Unwinding: provide instrumented setjmp / longjmp • Unprotected Code: save and restore shadow stack pointer Support all applications and incremental deployment! 28

  29. Intra-Process Memory Isolation • Shadow Stack splits code and data planes • Enables integrity enforcement by isolating return addresses Shadow Stacks enable code pointer integrity for return addresses! 29

  30. Intra-Process Memory Isolation • Software based randomization defense are defeasible • Intel MPX uses bounds checks for isolation, moderate performance • Intel MPK changes permissions of pages, slow performance None of these are fully satisfactory. Tagged architectures are a promising new approach. 30

  31. SPEC CPU2006 Performance Evaluation Shadow Geometric Max Min Stack Mean Direct 5.78% 38.68% 0.00% Recommended 3.65% 9.70% 0.00% 31

  32. SPEC CPU2006 Performance Evaluation Shadow Geometric Max Min Stack Mean Direct 5.78% 38.68% 0.00% Recommended 3.65% 9.70% 0.00% 32

  33. SPEC CPU2006 – Integrity Enforcement Integrity Geometric Max Min Scheme Mean Randomization 4.31% 13.68% 0.00% MPX 12.12% 33.02% 2.47% MPK 61.18% 419.81% 0.00% 33

  34. Conclusion • Stack remains vulnerable to code reuse attacks • Need to separate return addresses from data plane • Recommend a compact, register based shadow stack for deployment Shadow Stacks + CFI = practical CFH mitigation https://github.com/HexHive/ShadowStack 34

Recommend

What is albedo? The proportion of incident light (light shining on something) that is

What is albedo? The proportion of incident light (light shining on something) that is

What is albedo? The proportion of incident light (light shining on something) that is reflected by a surface, or more simply, how reflective something is. Albedo is therefore a percent or fraction. Albedo of 60% (or 0.6) means that

397 views • 16 slides
What matter(s) around galaxies? Shining a bright light on the cold phase of the CGM Cantalupo et

What matter(s) around galaxies? Shining a bright light on the cold phase of the CGM Cantalupo et

What matter(s) around galaxies? Shining a bright light on the cold phase of the CGM Cantalupo et al., Nature , 2014 Sebastiano Cantalupo ETH Zurich In collaboration with: MUSE GTO Team (ETH, CRAL, Leiden, AIP, Toulouse, Gottingen) + Cosmic

368 views • 24 slides
Homes Within Reach Shining HUDs Light on Housing Solutions U.S. Department of Housing and

Homes Within Reach Shining HUDs Light on Housing Solutions U.S. Department of Housing and

Homes Within Reach Shining HUDs Light on Housing Solutions U.S. Department of Housing and Urban Development Joseph J. DeFelice, Region III Regional Administrator December 6, 2017 1 The Secretarys th three ee Rs Reimagine the

532 views • 24 slides
Shining light in a black box Rethinking graduate medical education to meet North Carolinas

Shining light in a black box Rethinking graduate medical education to meet North Carolinas

Shining light in a black box Rethinking graduate medical education to meet North Carolinas health care workforce needs Noah Wohlert, MD Department of Family Medicine The University of North Carolina at Chapel Hill Goals of this talk

380 views • 35 slides
Acceleration Data Structures for Ray Tracing Most slides are taken from Fredo Durand Shadows

Acceleration Data Structures for Ray Tracing Most slides are taken from Fredo Durand Shadows

Acceleration Data Structures for Ray Tracing Most slides are taken from Fredo Durand Shadows one shadow ray per intersection per point light source no shadow rays one shadow ray Soft Shadows multiple shadow rays to sample area light

660 views • 52 slides
Shining Light on Neutrino Interactions Andrzej Szelc (University of Manchester) A short history

Shining Light on Neutrino Interactions Andrzej Szelc (University of Manchester) A short history

Shining Light on Neutrino Interactions Andrzej Szelc (University of Manchester) A short history of Neutrinos The neutrino was proposed in 1930 by W. Pauli to save energy conservation in b -decays. It was discovered by Reines and F.

1.09k views • 60 slides
Making the Invisible Visible: Shining the Light on Energy Efficiency in the Real Estate Market

Making the Invisible Visible: Shining the Light on Energy Efficiency in the Real Estate Market

Making the Invisible Visible: Shining the Light on Energy Efficiency in the Real Estate Market Charlie Taylor November 7 th , 2016 About NEEP Mission Accelerate energy efficiency as an essential part of demand-side solutions that enable a

471 views • 8 slides
Shining a Light on the Dark Side: How the Global Financial Crisis Exposed the Dark Side of

Shining a Light on the Dark Side: How the Global Financial Crisis Exposed the Dark Side of

Shining a Light on the Dark Side: How the Global Financial Crisis Exposed the Dark Side of Leadership Dr Holly Andrews Worcester Business School Global Business Conference Sibenik 2015 Overview What is the issue? Introducing psychopathy

372 views • 18 slides
T-MAN LIGHTING TOWER SHINING A LIGHT ON SAFETY Brian Edwards Plant and Asset Operations Manager

T-MAN LIGHTING TOWER SHINING A LIGHT ON SAFETY Brian Edwards Plant and Asset Operations Manager

T-MAN LIGHTING TOWER SHINING A LIGHT ON SAFETY Brian Edwards Plant and Asset Operations Manager Australia and Pacific BACKGROUND At any given time up to 60 separate 240V lighting plants can be operational on an active mine site. Each lighting

433 views • 15 slides
Algorithmen fr die Echtzeitgrafik Algorithmen fr die Echtzeitgrafik Daniel Scherzer

Algorithmen fr die Echtzeitgrafik Algorithmen fr die Echtzeitgrafik Daniel Scherzer

Algorithmen fr die Echtzeitgrafik Algorithmen fr die Echtzeitgrafik Daniel Scherzer scherzer@cg.tuwien.ac.at LBI Virtual Archeology 2 Hard Shadows Shadow Mapping: First Pass Light Shadow map Render scene from light-view and save

1.44k views • 109 slides
the shadow knows Shadow Algorithms Who knows what evil lurks in the hearts of men? Why

the shadow knows Shadow Algorithms Who knows what evil lurks in the hearts of men? Why

the shadow knows Shadow Algorithms Who knows what evil lurks in the hearts of men? Why shadows? Anatomy of a shadow Increase realism Umbra Area completely obscured by object Shows relationships between objects. Hard

445 views • 5 slides
Light & Shadow in the Deep: Strong Absorption Systems Probed by a Deep NB Imaging Rhythm

Light & Shadow in the Deep: Strong Absorption Systems Probed by a Deep NB Imaging Rhythm

Light & Shadow in the Deep: Strong Absorption Systems Probed by a Deep NB Imaging Rhythm Shimakawa NAOJ Fellow (Subaru Telescope) 2 Topics (Summary) 2min-: Narrow-Band Absorbers (NBAs) What are NBAs? Dual NBAH Emitters at

467 views • 11 slides
Cryptanalysis Results on Spook Bringing Full Shadow-512 to the Light Patrick Derbez 1 , Paul Huynh

Cryptanalysis Results on Spook Bringing Full Shadow-512 to the Light Patrick Derbez 1 , Paul Huynh

Cryptanalysis Results on Spook Bringing Full Shadow-512 to the Light Patrick Derbez 1 , Paul Huynh 2 , Virginie Lallemand 2 , Mara Naya-Plasencia 3 , Lo Perrin 3 , Andr Schrottenloher 3 1 Universit de Rennes, CNRS, Irisa - Rennes, France

717 views • 44 slides
ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow

ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow

ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow stacks page-level protection RELRO protect global ofgset table guard pages around memory allocations/etc. start ASLR choose random addresses

1.1k views • 73 slides
Sorting with Pop Stacks Stacks Pop stacks 1-Pop-stack sortability 2-Pop-stack sortability

Sorting with Pop Stacks Stacks Pop stacks 1-Pop-stack sortability 2-Pop-stack sortability

Sorting with Pop Stacks Lara Pudwell Sorting with Pop Stacks Stacks Pop stacks 1-Pop-stack sortability 2-Pop-stack sortability Polyominoes on a helix Lara Pudwell Width 2 Width 3 faculty.valpo.edu/lpudwell Wrapping up joint work with

825 views • 34 slides
SHADOW PINES Town Of Penfield 3100 Atlantic Avenue Penfield, New York 14526 SHADOW PINES

SHADOW PINES Town Of Penfield 3100 Atlantic Avenue Penfield, New York 14526 SHADOW PINES

SHADOW PINES Town Of Penfield 3100 Atlantic Avenue Penfield, New York 14526 SHADOW PINES OVERVIEW REVIEW OF SHADOW LAKES/ SHADOW PINES COMMUNITY ADVISORY REPORT (SEPT. 2016) SHADOW PINES LAND USE ADVISORY COMMITTEE FINAL

249 views • 11 slides
Lists, Stacks and Queues Stacks and Queues Stacks n A restricted list where insertions and

Lists, Stacks and Queues Stacks and Queues Stacks n A restricted list where insertions and

Lists, Stacks and Queues Stacks and Queues Stacks n A restricted list where insertions and deletions can only be performed at one location, the end of the list (top). n LIFO Last In First Out q Laundry Basket last thing you put

348 views • 12 slides
Stacks Stacks The unorganized persons data structure stacks 1 Stack characteristics Stack

Stacks Stacks The unorganized persons data structure stacks 1 Stack characteristics Stack

Stacks Stacks The unorganized persons data structure stacks 1 Stack characteristics Stack characteristics Entries are ordered in terms of access -- both insertion and removal take place at same spot (top of stack) Specialized

629 views • 42 slides
Guiding and Shadow Rays Alexander Keller, Ken Dahm, Nikolaus Binder, Thomas Mller Guiding and

Guiding and Shadow Rays Alexander Keller, Ken Dahm, Nikolaus Binder, Thomas Mller Guiding and

Guiding and Shadow Rays Alexander Keller, Ken Dahm, Nikolaus Binder, Thomas Mller Guiding and Shadow Rays Importance sampling of many light sources sampling proportional to integrand p f r cos Guiding and Shadow Rays Importance

690 views • 58 slides
CIS 781 What is a Shadow? Shadows From Websters dictionary: Shad-ow (noun): partial

CIS 781 What is a Shadow? Shadows From Websters dictionary: Shad-ow (noun): partial

CIS 781 What is a Shadow? Shadows From Websters dictionary: Shad-ow (noun): partial darkness or obscurity within a part of space from which rays from a source of light are cut off by an interposed opaque body Simplest Example :

634 views • 37 slides
11 Shadow Volumes Steve Marschner CS5625 Spring 2019 References F . Crow, Shadow Algorithms

11 Shadow Volumes Steve Marschner CS5625 Spring 2019 References F . Crow, Shadow Algorithms

11 Shadow Volumes Steve Marschner CS5625 Spring 2019 References F . Crow, Shadow Algorithms for Computer Graphics. SIGGRAPH 1977. http://dx.doi.org/10.1145/965141.563901 M. McGuire, E ffi cient Shadow Volume Rendering. GPU Gems ,

510 views • 27 slides
10 Shadow Volumes Steve Marschner CS5625 Spring 2015 References F . Crow, Shadow Algorithms

10 Shadow Volumes Steve Marschner CS5625 Spring 2015 References F . Crow, Shadow Algorithms

10 Shadow Volumes Steve Marschner CS5625 Spring 2015 References F . Crow, Shadow Algorithms for Computer Graphics. SIGGRAPH 1977. http://dx.doi.org/10.1145/965141.563901 M. McGuire, E ffi cient Shadow Volume Rendering. GPU Gems ,

152 views • 12 slides
csci 210: Data Structures Stacks and Queues Summary Topics stacks and queues as

csci 210: Data Structures Stacks and Queues Summary Topics stacks and queues as

csci 210: Data Structures Stacks and Queues Summary Topics stacks and queues as abstract data types implementations arrays linked lists analysis and comparison application: searching with stacks and

284 views • 16 slides
An Efficient Hybrid Shadow Rendering Algorithm Eric Chan Frdo Durand Massachusetts Institute

An Efficient Hybrid Shadow Rendering Algorithm Eric Chan Frdo Durand Massachusetts Institute

An Efficient Hybrid Shadow Rendering Algorithm Eric Chan Frdo Durand Massachusetts Institute of Technology Not Another Talk on Shadows?! Main ideas: combination of shadow maps + shadow volumes computation masks + Classic Shadow

629 views • 48 slides

More recommend