Security Properties for Stack Safety

What exactly does “stack safety” mean? The phrase is associated with a variety of compiler, run-time, and hardware mechanisms for protecting stack memory. But these mechanisms typically lack precise specifications, relying instead on informal descriptions and examples of bad behaviors that they prevent. We propose a formal characterization of stack safety, formulated with concepts from language-based security: a combination of an integrity property (“the private state in each caller’s stack frame is held invariant by the callee”), a confidentiality property (“the callee’s behavior is insensitive to the caller’s private state”), and a well-bracketedness property (“each callee returns control to its immediate caller”). We use these properties to validate the stack-safety “micro-policies” proposed by Roessler and DeHon [2018]. Specifically, we check (with property-based random testing) that Roessler and Dehon’s “eager” micro-policy, which catches violations as early as possible, enforces a simple “stepwise” variant of our properties and correctly detects several broken variants, and that (a repaired version of) their more performant “lazy” micro-policy corresponds to a slightly weaker and more extensional “observational” variant of our properties.

[1]  David A. Wagner,et al.  The Performance Cost of Shadow Stacks and Stack Canaries , 2015, AsiaCCS.

[2]  Benjamin C. Pierce,et al.  Testing noninterference, quickly , 2013, Journal of Functional Programming.

[3]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[4]  B. Pierce,et al.  QuickChick: Property-based testing for Coq , 2014 .

[5]  Dominique Devriese,et al.  Reasoning About a Machine with Local Capabilities - Provably Safe Stack and Return Pointer Management , 2018, ESOP.

[6]  Milo M. K. Martin,et al.  Hardbound: architectural support for spatial safety of the C programming language , 2008, ASPLOS.

[7]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[8]  Peter G. Neumann,et al.  Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine , 2015, ASPLOS.

[9]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[10]  Ravi Sahita,et al.  Security Analysis of Processor Instruction Set Architecture for Enforcing Control-Flow Integrity , 2019, HASP@ISCA.

[11]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[12]  André DeHon,et al.  Protecting the Stack with Metadata Policies and Tagged Hardware , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[13]  Dominique Devriese,et al.  StkTokens: enforcing well-bracketed control flow and stack encapsulation using linear capabilities , 2018, Journal of Functional Programming.

[14]  Benjamin C. Pierce,et al.  Micro-Policies: Formally Verified, Tag-Based Security Monitors , 2015, 2015 IEEE Symposium on Security and Privacy.

[15]  Dominique Devriese,et al.  Efficient and provable local capability revocation using uninitialized capabilities , 2021, Proc. ACM Program. Lang..

[16]  Dominique Devriese,et al.  Reasoning about a Machine with Local Capabilities , 2019, ACM Trans. Program. Lang. Syst..

[17]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[18]  Jonathan M. Smith,et al.  Architectural Support for Software-Defined Metadata Processing , 2015, ASPLOS.

[19]  Dominique Devriese,et al.  Temporal Safety for Stack Allocated Memory on Capability Machines , 2019, 2019 IEEE 32nd Computer Security Foundations Symposium (CSF).

[20]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[21]  Mark Harman,et al.  An Analysis and Survey of the Development of Mutation Testing , 2011, IEEE Transactions on Software Engineering.

[22]  Benjamin C. Pierce,et al.  The Meaning of Memory Safety , 2017, POST.