The Performance Cost of Shadow Stacks and Stack Canaries

Control flow defenses against ROP either use strict, expensive, but strong protection against redirected RET instructions with shadow stacks, or much faster but weaker protections without. In this work we study the inherent overheads of shadow stack schemes. We find that the overhead is roughly 10% for a traditional shadow stack. We then design a new scheme, the parallel shadow stack, and show that its performance cost is significantly less: 3.5%. Our measurements suggest it will not be easy to improve performance on current x86 processors further, due to inherent costs associated with RET and memory load/store instructions. We conclude with a discussion of the design decisions in our shadow stack instrumentation, and possible lighter-weight alternatives.

[1]  Avishai Wool,et al.  Install-time vaccination of Windows executables to defend against stack smashing attacks , 2004, IEEE Transactions on Dependable and Secure Computing.

[2]  Lizy K. John,et al.  Performance characterization of SPEC CPU benchmarks on intel's core microarchitecture based processor , 2007 .

[3]  David A. Wagner,et al.  ROP is Still Dangerous: Breaking Modern Defenses , 2014, USENIX Security Symposium.

[4]  Tzi-cker Chiueh,et al.  A Binary Rewriting Defense Against Stack based Buffer Overflow Attacks , 2003, USENIX Annual Technical Conference, General Track.

[5]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[6]  W. Wong,et al.  Transparent Runtime Shadow Stack : Protection against malicious return address modifications , 2006 .

[7]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[8]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[9]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[10]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[11]  Angelos D. Keromytis,et al.  Retrofitting Security in COTS Software with Binary Rewriting , 2011, SEC.

[12]  Shyhtsun Felix Wu,et al.  Lightweight Hardware Return Address and Stack Frame Tracking to Prevent Function Return Address Attack , 2009, 2009 International Conference on Computational Science and Engineering.

[13]  B. E. Eckbo,et al.  Appendix , 1826, Epilepsy Research.

[14]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[15]  Ahmad-Reza Sadeghi,et al.  Hardware-assisted fine-grained control-flow integrity: Towards efficient protection of embedded systems against software exploitation , 2014, 2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC).

[16]  Mingwei Zhang,et al.  A platform for secure static binary instrumentation , 2014, VEE '14.

[17]  Ciji Isen,et al.  On the Object Orientedness of C + + programs in SPEC CPU 2006 , .

[18]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[19]  Daniel C. DuVarney,et al.  Efficient Techniques for Comprehensive Protection from Memory Error Exploits , 2005, USENIX Security Symposium.

[20]  Navjot Singh,et al.  Transparent Run-Time Defense Against Stack-Smashing Attacks , 2000, USENIX Annual Technical Conference, General Track.

[21]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[22]  Matthias Hauswirth,et al.  Producing wrong data without doing anything obviously wrong! , 2009, ASPLOS.

[23]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[24]  Michael Shuey,et al.  StackGhost: Hardware Facilitated Stack Protection , 2001, USENIX Security Symposium.

[25]  Jun Xu,et al.  Architecture Support for Defending Against Buffer Overflow Attacks , 2002 .

[26]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[27]  Stephen McCamant,et al.  Evaluating SFI for a CISC Architecture , 2006, USENIX Security Symposium.

[28]  Thomas R. Gross,et al.  Safe Loading - A Foundation for Secure Execution of Untrusted Programs , 2012, 2012 IEEE Symposium on Security and Privacy.

[29]  Avishai Wool,et al.  Install-time Vaccination of Windows Executables to Defend Against Stack Smashing Attacks , 2004, SEC.

[30]  Koji Inoue Lock and Unlock: A Data Management Algorithm for A Security-Aware Cache , 2006, 2006 13th IEEE International Conference on Electronics, Circuits and Systems.

[31]  Carla E. Brodley,et al.  SmashGuard: A Hardware Solution to Prevent Security Attacks on the Function Return Address , 2006, IEEE Transactions on Computers.

[32]  Ruby B. Lee,et al.  Enlisting Hardware Architecture to Thwart Malicious Code Injection , 2004, SPC.

[33]  Tzi-cker Chiueh,et al.  RAD: a compile-time solution to buffer overflow attacks , 2001, Proceedings 21st International Conference on Distributed Computing Systems.

[34]  Seon-Ho Park,et al.  The Dynamic Buffer Overflow Detection and Prevent ion Tool for Yindows Executables Using Binary Rewr iting , 2007, The 9th International Conference on Advanced Communication Technology.

[35]  Thomas R. Gross,et al.  Fine-grained user-space security through virtualization , 2011, VEE '11.

[36]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[37]  Spiros Mancoridis,et al.  Using program transformation to secure C programs against buffer overflows , 2003, 10th Working Conference on Reverse Engineering, 2003. WCRE 2003. Proceedings..

[38]  Angelos D. Keromytis,et al.  A Dynamic Mechanism for Recovering from Buffer Overflow Attacks , 2005, ISC.

[39]  Huzur Saran,et al.  Dynamic code instrumentation to detect and recover from return address corruption , 2006, WODA '06.

[40]  Dan Boneh,et al.  Cryptographically Enforced Control Flow Integrity , 2014, ArXiv.

[41]  Martín Abadi,et al.  Architectural support for software-based protection , 2006, ASID '06.

[42]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[43]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[44]  Crispin Cowan,et al.  StackGuard: Simple Stack Smash Protection for GCC , 2004 .

[45]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[46]  Lucas Davi,et al.  ROPdefender: a detection tool to defend against return-oriented programming attacks , 2011, ASIACCS '11.

[47]  Amir Roth,et al.  Using DISE to protect return addresses from attack , 2005, CARN.

[48]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.