Formalizing Stack Safety as a Security Property

The term stack safety is used to describe a variety of compiler, runtime, and hardware mechanisms for protecting stack memory. Unlike “the heap,” the ISA-level stack does not correspond to a single high-level language concept: different compilers use it in different ways to support procedural and functional abstraction mechanisms from a wide range of languages. This protean nature makes it difficult to nail down what it means to correctly enforce stack safety.

[1]  Ravi Theja Gollapudi,et al.  Control Flow and Pointer Integrity Enforcement in a Secure Tagged Architecture , 2023, 2023 IEEE Symposium on Security and Privacy (SP).

[2]  Aïna Linn Georges,et al.  Le temps des cerises: efficient temporal stack safety on capability machines using directed capabilities , 2022, Proc. ACM Program. Lang..

[3]  Dominique Devriese,et al.  Efficient and provable local capability revocation using uninitialized capabilities , 2021, Proc. ACM Program. Lang..

[4]  Ravi Sahita,et al.  Security Analysis of Processor Instruction Set Architecture for Enforcing Control-Flow Integrity , 2019, HASP@ISCA.

[5]  Dominique Devriese,et al.  Temporal Safety for Stack Allocated Memory on Capability Machines , 2019, 2019 IEEE 32nd Computer Security Foundations Symposium (CSF).

[6]  Robert N. M. Watson,et al.  Exploring C semantics and pointer provenance , 2019, Proc. ACM Program. Lang..

[7]  Dominique Devriese,et al.  StkTokens: enforcing well-bracketed control flow and stack encapsulation using linear capabilities , 2018, Journal of Functional Programming.

[8]  André DeHon,et al.  Protecting the Stack with Metadata Policies and Tagged Hardware , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[9]  Dominique Devriese,et al.  Reasoning About a Machine with Local Capabilities - Provably Safe Stack and Return Pointer Management , 2018, ESOP.

[10]  Benjamin C. Pierce,et al.  The Meaning of Memory Safety , 2017, POST.

[11]  Zhenkai Liang,et al.  Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[12]  Benjamin C. Pierce,et al.  Micro-Policies: Formally Verified, Tag-Based Security Monitors , 2015, 2015 IEEE Symposium on Security and Privacy.

[13]  Peter G. Neumann,et al.  CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization , 2015, 2015 IEEE Symposium on Security and Privacy.

[14]  David A. Wagner,et al.  The Performance Cost of Shadow Stacks and Stack Canaries , 2015, AsiaCCS.

[15]  Peter G. Neumann,et al.  Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine , 2015, ASPLOS.

[16]  Jonathan M. Smith,et al.  Architectural Support for Software-Defined Metadata Processing , 2015, ASPLOS.

[17]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[18]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[19]  Jonathan M. Smith,et al.  PUMP: a programmable unit for metadata processing , 2014, HASP@ISCA.

[20]  Benjamin C. Pierce,et al.  Testing noninterference, quickly , 2013, Journal of Functional Programming.

[21]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[22]  Herbert Bos,et al.  Memory Errors: The Past, the Present, and the Future , 2012, RAID.

[23]  Xuejun Yang,et al.  Finding and understanding bugs in C compilers , 2011, PLDI '11.

[24]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[25]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[26]  Milo M. K. Martin,et al.  Hardbound: architectural support for spatial safety of the C programming language , 2008, ASPLOS.

[27]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[28]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[29]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[30]  John R. Rodman,et al.  Reports , 1919, Restoration & Management Notes.

[31]  Adam Chlipala,et al.  A Multipurpose Formal RISC-V Specification , 2021, ArXiv.

[32]  B. Pierce,et al.  QuickChick: Property-based testing for Coq , 2014 .

[33]  M. Harman,et al.  An Analysis and Survey of the Development of Mutation Testing , 2011, IEEE Transactions on Software Engineering.

[34]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[35]  Beth Levy,et al.  Smashing the stack for fun and prot , 1996 .