research-article

The Performance Cost of Shadow Stacks and Stack Canaries

Authors:

Thurston H.Y. Dang,

Petros Maniatis,

David WagnerAuthors Info & Claims

ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security

Pages 555 - 566

https://doi.org/10.1145/2714576.2714635

Published: 14 April 2015 Publication History

Abstract

Control flow defenses against ROP either use strict, expensive, but strong protection against redirected RET instructions with shadow stacks, or much faster but weaker protections without. In this work we study the inherent overheads of shadow stack schemes. We find that the overhead is roughly 10% for a traditional shadow stack. We then design a new scheme, the parallel shadow stack, and show that its performance cost is significantly less: 3.5%. Our measurements suggest it will not be easy to improve performance on current x86 processors further, due to inherent costs associated with RET and memory load/store instructions. We conclude with a discussion of the design decisions in our shadow stack instrumentation, and possible lighter-weight alternatives.

References

[1]

Itanium(R) Processor Family Performance Advantages: Register Stack Architecture. https://software.intel.com/en-us/articles/itaniumr-processor-family-performance-advantages-register-stack-architecture, October 2008.

[2]

SPEC CPU2006: Read Me First. http://www.spec.org/cpu2006/Docs/readme1st.html, September 2011.

[3]

Software Optimization Guide for AMD Family 15h Processors. January 2012.

[4]

ARM Information Center. http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0439d/Chdedegj.html, September 2013.

[5]

Emerging 'Stack Pivoting' Exploits Bypass Common Security. http://blogs.mcafee.com/mcafee-labs/emerging-stack-pivoting-exploits-bypass-common-security, May 2013.

[6]

Intel(R) 64 and IA-32 Architectures Optimization Reference Manual. March 2014.

[7]

M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Control-flow integrity principles, implementations, and applications. TISSEC, 2009.

Digital Library

[8]

A. Baratloo, N. Singh, and T. K. Tsai. Transparent Run-Time Defense Against Stack-Smashing Attacks. In USENIX ATC, 2000.

Digital Library

[9]

S. Bhatkar, D. C. DuVarney, and R. Sekar. Efficient Techniques for Comprehensive Protection from Memory Error Exploits. In USENIX Security, 2005.

Digital Library

[10]

S. Bird, A. Phansalkar, L. K. John, A. Mericas, and R. Indukuru. Performance Characterization of SPEC CPU Benchmarks on Intel's Core Microarchitecture Based Processor. In SPEC Benchmark Workshop, 2007.

[11]

T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang. Jump-oriented programming: a new class of code-reuse attack. In CCS, 2011.

Digital Library

[12]

M. Budiu, Ú. Erlingsson, and M. Abadi. Architectural support for software-based protection. In Proceedings of the 1st workshop on Architectural and system support for improving software dependability, 2006.

Digital Library

[13]

N. Carlini and D. Wagner. ROP is still dangerous: Breaking modern defenses. In USENIX Security, 2014.

Digital Library

[14]

S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In CCS, 2010.

Digital Library

[15]

T.-c. Chiueh and F.-H. Hsu. RAD: A compile-time solution to buffer over flow attacks. In ICDCS, 2001.

Digital Library

[16]

M. L. Corliss, E. C. Lewis, and A. Roth. Using DISE to protect return addresses from attack. ACM SIGARCH Computer Architecture News, 2005.

Digital Library

[17]

C. Dahn and S. Mancoridis. Using program transformation to secure C programs against buffer over flows. In 20th Working Conference on Reverse Engineering, 2003.

Digital Library

[18]

L. Davi, P. Koeberl, and A.-R. Sadeghi. Hardware-Assisted Fine-Grained Control-Flow Integrity: Towards Efficient Protection of Embedded Systems Against Software Exploitation. In DAC, 2014.

Digital Library

[19]

L. Davi, D. Lehmann, A.-R. Sadeghi, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In USENIX Security, 2014.

Digital Library

[20]

L. Davi, A.-R. Sadeghi, and M. Winandy. ROPdefender: A detection tool to defend against return-oriented programming attacks. In CCS, 2011.

Digital Library

[21]

Ú. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. C. Necula. XFI: Software guards for system address spaces. In OSDI, 2006.

Digital Library

[22]

A. Fog. The microarchitecture of Intel, AMD and VIA CPUs. www.agner.org/optimize/microarchitecture.pdf, August 2014.

[23]

M. Frantzen and M. Shuey. StackGhost: Hardware Facilitated Stack Protection. In USENIX Security, 2001.

Digital Library

[24]

E. Göktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In IEEE S&P, 2014.

[25]

S. Gupta, P. Pratap, H. Saran, and S. Arun-Kumar. Dynamic code instrumentation to detect and recover from return address corruption. In International workshop on Dynamic systems analysis, 2006.

Digital Library

[26]

K. Inoue. Lock and Unlock: A Data Management Algorithm for A Security-Aware Cache. In ICECS, 2006.

[27]

C. Isen and L. John. On the object orientedness of c++ programs in spec cpu 2006. In SPEC Benchmark Workshop, 2008.

[28]

W.-F. Kao and S. F. Wu. Light-weight Hardware Return Address and Stack Frame Tracking to Prevent Function Return Address Attack. In International Conference on Computational Science and Engineering.

Digital Library

[29]

V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-Pointer Integrity. In OSDI, 2014.

Digital Library

[30]

R. B. Lee, D. K. Karig, J. P. McGregor, and Z. Shi. Enlisting hardware architecture to thwart malicious code injection. In Security in Pervasive Computing. 2004.

[31]

A. J. Mashtizadeh, A. Bittau, D. Mazières, and D. Boneh. Cryptographically enforced control flow integrity. In arXiv:1408.1451, 2014.

[32]

H. Massalin. Superoptimizer: a look at the smallest program. In ACM SIGPLAN Notices, 1987.

Digital Library

[33]

S. McCamant and G. Morrisett. Evaluating SFI for a CISC Architecture. In USENIX Security, 2006.

Digital Library

[34]

T. Mytkowicz, A. Diwan, M. Hauswirth, and P. F. Sweeney. Producing wrong data without doing anything obviously wrong! In ASPLOS, 2009.

Digital Library

[35]

D. Nebenzahl, M. Sagiv, and A. Wool. Install-time vaccination of Windows executables to defend against stack smashing attacks. Dependable and Secure Computing, IEEE Transactions on, 2006.

Digital Library

[36]

A. One. Smashing the stack for fun and profit. Phrack magazine, 1996.

[37]

P. O'Sullivan, K. Anand, A. Kotha, M. Smithson, R. Barua, and A. D. Keromytis. Retrofitting security in COTS software with binary rewriting. In Future Challenges in Security and Privacy for Academia and Industry. 2011.

[38]

H. Ozdoganoglu, T. Vijaykumar, C. E. Brodley, B. A. Kuperman, and A. Jalote. SmashGuard: A hardware solution to prevent security attacks on the function return address. Computers, IEEE Transactions on, 2006.

Digital Library

[39]

S.-H. Park, Y.-J. Han, S.-J. Hong, H.-C. Kim, and T.-M. Chung. The dynamic buffer over flow detection and prevention tool for windows executables using binary rewriting. In The 9th International Conference on Advanced Communication Technology, 2007.

[40]

M. Payer and T. R. Gross. Fine-grained user-space security through virtualization. In VEE, 2011.

Digital Library

[41]

M. Payer, T. Hartmann, and T. R. Gross. Safe loading-a foundation for secure execution of untrusted programs. In IEEE S&P, 2012.

Digital Library

[42]

M. Prasad and T.-c. Chiueh. A Binary Rewriting Defense Against Stack based Buffer Over flow Attacks. In USENIX ATC, 2003.

[43]

K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov. AddressSanitizer: A Fast Address Sanity Checker. In USENIX ATC, 2012.

Digital Library

[44]

H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In CCS, 2007.

Digital Library

[45]

S. Sidiroglou, G. Giovanidis, and A. D. Keromytis. A dynamic mechanism for recovering from buffer over flow attacks. In Information security. 2005.

Digital Library

[46]

S. Sinnadurai, Q. Zhao, and W. fai Wong. Transparent runtime shadow stack: Protection against malicious return address modifications. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.120.5702&rep=rep1&type=pdf, 2008.

[47]

L. Szekeres, M. Payer, T. Wei, and D. Song. SoK: Eternal war in memory. In IEEE S&P, 2013.

Digital Library

[48]

C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Ú. Erlingsson, L. Lozano, and G. Pike. Enforcing forward-edge control-flow integrity in gcc & llvm. In USENIX Security, 2014.

Digital Library

[49]

Vendicator. Stack Shield. http://www.angelfire.com/sk/stackshield/info.html, 2000.

[50]

P. Wagle and C. Cowan. Stackguard: Simple stack smash protection for gcc. In GCC Developers Summit, 2003.

[51]

R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. In SOSP, 1993.

Digital Library

[52]

J. Xu, Z. Kalbarczyk, S. Patel, and R. K. Iyer. Architecture support for defending against buffer over flow attacks. In Workshop on Evaluating and Architecting Systems for Dependability, 2002.

[53]

C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control flow integrity and randomization for binary executables. In IEEE S&P, 2013.

Digital Library

[54]

M. Zhang, R. Qiao, N. Hasabnis, and R. Sekar. A platform for secure static binary instrumentation. In VEE, 2014.

Digital Library

[55]

M. Zhang and R. Sekar. Control Flow Integrity for COTS Binaries. In USENIX Security, 2013.

Digital Library

Cited By

Díez-Franco IBringas PUgarte-Pedrero X(2024)Understanding the Security Landscape of Control-Data and Non-Control-Data Attacks Against IoT Systems2024 9th International Conference on Smart and Sustainable Technologies (SpliTech)10.23919/SpliTech61897.2024.10612517(01-06)Online publication date: 25-Jun-2024
https://doi.org/10.23919/SpliTech61897.2024.10612517
Grisafi MAmmar MRoveri MCrispo B(2024)FLAShadow: A Flash-based Shadow Stack for Low-end Embedded SystemsACM Transactions on Internet of Things10.1145/36704135:3(1-29)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3670413
Louka ADionysiou AAthanasopoulos E(2024)Validating Memory Safety in Rust BinariesProceedings of the 17th European Workshop on Systems Security10.1145/3642974.3652281(8-14)Online publication date: 22-Apr-2024
https://dl.acm.org/doi/10.1145/3642974.3652281
Show More Cited By

Index Terms

The Performance Cost of Shadow Stacks and Stack Canaries
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Practical Software-Based Shadow Stacks on x86-64
Control-Flow Integrity (CFI) techniques focus often on protecting forward edges and assume that backward edges are protected by shadow stacks. However, software-based shadow stacks that can provide performance, security, and compatibility are still hard ...
Buddy Stacks: Protecting Return Addresses with Efficient Thread-Local Storage and Runtime Re-Randomization
Shadow stacks play an important role in protecting return addresses to mitigate ROP attacks. Parallel shadow stacks, which shadow the call stack of each thread at the same constant offset for all threads, are known not to support multi-threading well. On ...
PESC: A Per System-Call Stack Canary Design for Linux Kernel
CODASPY '20: Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy

Stack canary is the most widely deployed defense technique against stack buffer overflow attacks. However, since its proposition, the design of stack canary has very few improvements during the past 20 years, making it vulnerable to new and sophisticated ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security

April 2015

698 pages

ISBN:9781450332453

DOI:10.1145/2714576

General Chairs:
Feng Bao
Huawei Technologies Pte Ltd, Singapore
,
Steven Miller
Singapore Management University, Singapore
,
Program Chairs:
Jianying Zhou
Institute for Infocomm Research, Singapore
,
Gail-Joon Ahn
Arizona State University, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 April 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

ASIA CCS '15

Sponsor:

SIGSAC

ASIA CCS '15: 10th ACM Symposium on Information, Computer and Communications Security

April 14 - March 17, 2015

Singapore, Republic of Singapore

Acceptance Rates

ASIA CCS '15 Paper Acceptance Rate 48 of 269 submissions, 18%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

146
Total Citations
View Citations
1,197
Total Downloads

Downloads (Last 12 months)153
Downloads (Last 6 weeks)18

Reflects downloads up to 22 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Díez-Franco IBringas PUgarte-Pedrero X(2024)Understanding the Security Landscape of Control-Data and Non-Control-Data Attacks Against IoT Systems2024 9th International Conference on Smart and Sustainable Technologies (SpliTech)10.23919/SpliTech61897.2024.10612517(01-06)Online publication date: 25-Jun-2024
https://doi.org/10.23919/SpliTech61897.2024.10612517
Grisafi MAmmar MRoveri MCrispo B(2024)FLAShadow: A Flash-based Shadow Stack for Low-end Embedded SystemsACM Transactions on Internet of Things10.1145/36704135:3(1-29)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3670413
Louka ADionysiou AAthanasopoulos E(2024)Validating Memory Safety in Rust BinariesProceedings of the 17th European Workshop on Systems Security10.1145/3642974.3652281(8-14)Online publication date: 22-Apr-2024
https://dl.acm.org/doi/10.1145/3642974.3652281
Tan XMohan SArmanuzzaman MMa ZLiu GEastman AHu HZhao ZHong JPark J(2024)Is the Canary Dead? On the Effectiveness of Stack Canaries on Microcontroller SystemsProceedings of the 39th ACM/SIGAPP Symposium on Applied Computing10.1145/3605098.3635925(1350-1357)Online publication date: 8-Apr-2024
https://dl.acm.org/doi/10.1145/3605098.3635925
Lehniger KRaghunathan SLangendörfer P(2024)WindowGuardian: Return Address Integrity for ESP32 Microcontrollers with Xtensa Processors using AES and Register Windows2024 13th Mediterranean Conference on Embedded Computing (MECO)10.1109/MECO62516.2024.10577840(1-8)Online publication date: 11-Jun-2024
https://doi.org/10.1109/MECO62516.2024.10577840
Stavrakakis DPanfil ANam MBhatotia P(2024)SPP: Safe Persistent Pointers for Memory Safety2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58291.2024.00019(37-52)Online publication date: 24-Jun-2024
https://doi.org/10.1109/DSN58291.2024.00019
Park HKim S(2024)Tail Call Optimization Tailored for Native Stack Utilization in JavaScript RuntimesIEEE Access10.1109/ACCESS.2024.344175012(111801-111817)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3441750
Moghadam VSerra GAromolo FButtazzo GPrinetto P(2024)Memory Integrity Techniques for Memory-Unsafe Languages: A SurveyIEEE Access10.1109/ACCESS.2024.338047812(43201-43221)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3380478
Kim HLarasati HPark JKim HKwon D(2023)DEMIX: Domain-Enforced Memory Isolation for Embedded SystemSensors10.3390/s2307356823:7(3568)Online publication date: 29-Mar-2023
https://doi.org/10.3390/s23073568
Bauman EDuan JHamlen KLin Z(2023)Renewable Just-In-Time Control-Flow IntegrityProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607239(580-594)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607239
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents