The performance cost of shadow stacks and stack canaries

ASIACCS 2015 - Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security

Volumn , Issue , 2015, Pages 555-566

  Dang, Thurston H Y ^a   Maniatis, Petros ^b   Wagner, David ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

^b GOOGLE INC   (United States)

Author keywords

Shadow stack; Stack canary; Stack cookie

Indexed keywords

COMPUTERS;

CONTROL FLOWS; DESIGN DECISIONS; IMPROVE PERFORMANCE; MEMORY LOAD; PERFORMANCE COSTS; SHADOW STACK; STACK CANARY; STACK COOKIE;

COMPUTER SCIENCE;

EID: 84942543728     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2714576.2714635     Document Type: Conference Paper

References (55)

1. Itanium(R) Processor Family Performance Advantages: Register Stack Architecture. https://software.intel.com/en-us/articles/itaniumr-processor-family-performance-advantages-register-stack-architecture, October 2008.
2. SPEC CPU2006: Read Me First. http://www.spec.org/cpu2006/Docs/readme1st.html, September 2011.
3. Software Optimization Guide for AMD Family 15h Processors. January 2012.
4. ARM Information Center. http://infocenter.arm.com/help/index.jsp? topic=/com.arm.doc.ddi0439d/Chdedegj.html, September 2013.
5. Emerging 'Stack Pivoting'Exploits Bypass Common Security. http://blogs.mcafee.com/mcafee-labs/emerging-stack-pivoting-exploits-bypass-common-security, May 2013.
6. Intel(R) 64 and IA-32 Architectures Optimization Reference Manual. March 2014.
7. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-ow integrity principles, implementations, and applications. TISSEC, 2009.
8. A. Baratloo, N. Singh, and T. K. Tsai. Transparent Run-Time Defense Against Stack-Smashing Attacks. In USENIX ATC, 2000.
9. S. Bhatkar, D. C. DuVarney, and R. Sekar. Eficient Techniques for Comprehensive Protection from Memory Error Exploits. In USENIX Security, 2005.
10. S. Bird, A. Phansalkar, L. K. John, A. Mericas, and R. Indukuru. Performance Characterization of SPEC CPU Benchmarks on Intel's Core Microarchitecture Based Processor. In SPEC Benchmark Workshop, 2007.
11. T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang. Jump-oriented programming: a new class of code-reuse attack. In CCS, 2011.
12. M. Budiu, U. Erlingsson, and M. Abadi. Architectural support for software-based protection. In Proceedings of the 1st workshop on Architectural and system support for improving software dependability, 2006.
13. N. Carlini and D. Wagner. ROP is still dangerous: Breaking modern defenses. In USENIX Security, 2014.
14. S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In CCS, 2010.
15. T.-c. Chiueh and F.-H. Hsu. RAD: A compile-time solution to buér overow attacks. In ICDCS, 2001.
16. M. L. Corliss, E. C. Lewis, and A. Roth. Using DISE to protect return addresses from attack. ACM SIGARCH Computer Architecture News, 2005.
17. C. Dahn and S. Mancoridis. Using program transformation to secure C programs against buér overows. In 20th Working Conference on Reverse Engineering, 2003.
18. L. Davi, P. Koeberl, and A.-R. Sadeghi. Hardware-Assisted Fine-Grained Control-Flow Integrity: Towards Eficient Protection of Embedded Systems Against Software Exploitation. In DAC, 2014.
19. L. Davi, D. Lehmann, A.-R. Sadeghi, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-ow integrity protection. In USENIX Security, 2014.
20. L. Davi, A.-R. Sadeghi, and M. Winandy. ROPdefender: A detection tool to defend against return-oriented programming attacks. In CCS, 2011.
21. U. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. C. Necula. XFI: Software guards for system address spaces. In OSDI, 2006.
22. A. Fog. The microarchitecture of Intel, AMD and VIA CPUs. www.agner.org/optimize/microarchitecture.pdf, August 2014.
23. M. Frantzen and M. Shuey. StackGhost: Hardware Facilitated Stack Protection. In USENIX Security, 2001.
24. E. Goktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-ow integrity. In IEEE S&P, 2014.
25. S. Gupta, P. Pratap, H. Saran, and S. Arun-Kumar. Dynamic code instrumentation to detect and recover from return address corruption. In International workshop on Dynamic systems analysis, 2006.
26. K. Inoue. Lock and Unlock: A Data Management Algorithm for A Security-Aware Cache. In ICECS, 2006.
27. C. Isen and L. John. On the object orientedness of c++ programs in spec cpu 2006. In SPEC Benchmark Workshop, 2008.
28. W.-F. Kao and S. F. Wu. Light-weight Hardware Return Address and Stack Frame Tracking to Prevent Function Return Address Attack. In International Conference on Computational Science and Engineering.
29. V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-Pointer Integrity. In OSDI, 2014.
30. R. B. Lee, D. K. Karig, J. P. McGregor, and Z. Shi. Enlisting hardware architecture to thwart malicious code injection. In Security in Pervasive Computing. 2004.
31. A. J. Mashtizadeh, A. Bittau, D. Maziéres, and D. Boneh. Cryptographically enforced control ow integrity. In arXiv:1408.1451, 2014.
32. H. Massalin. Superoptimizer: a look at the smallest program. In ACM SIGPLAN Notices, 1987.
33. S. McCamant and G. Morrisett. Evaluating SFI for a CISC Architecture. In USENIX Security, 2006.
34. T. Mytkowicz, A. Diwan, M. Hauswirth, and P. F. Sweeney. Producing wrong data without doing anything obviously wrong! In ASPLOS, 2009.
35. D. Nebenzahl, M. Sagiv, and A. Wool. Install-time vaccination of Windows executables to defend against stack smashing attacks. Dependable and Secure Computing, IEEE Transactions on, 2006.
36. A. One. Smashing the stack for fun and profft. Phrack magazine, 1996.
37. P. O'Sullivan, K. Anand, A. Kotha, M. Smithson, R. Barua, and A. D. Keromytis. Retrofftting security in COTS software with binary rewriting. In Future Challenges in Security and Privacy for Academia and Industry. 2011.
38. H. Ozdoganoglu, T. Vijaykumar, C. E. Brodley, B. A. Kuperman, and A. Jalote. SmashGuard: A hardware solution to prevent security attacks on the function return address. Computers, IEEE Transactions on, 2006.
39. S.-H. Park, Y.-J. Han, S.-J. Hong, H.-C. Kim, and T.-M. Chung. The dynamic buér overow detection and prevention tool for windows executables using binary rewriting. In The 9th International Conference on Advanced Communication Technology, 2007.
40. M. Payer and T. R. Gross. Fine-grained user-space security through virtualization. In VEE, 2011.
41. M. Payer, T. Hartmann, and T. R. Gross. Safe loading-A foundation for secure execution of untrusted programs. In IEEE S&P, 2012.
42. M. Prasad and T.-c. Chiueh. A Binary Rewriting Defense Against Stack based Buér Overow Attacks. In USENIX ATC, 2003.
43. K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov. AddressSanitizer: A Fast Address Sanity Checker. In USENIX ATC, 2012.
44. H. Shacham. The geometry of innocent esh on the bone: Return-into-libc without function calls (on the x86). In CCS, 2007.
45. S. Sidiroglou, G. Giovanidis, and A. D. Keromytis. A dynamic mechanism for recovering from buér overow attacks. In Information security. 2005.
46. S. Sinnadurai, Q. Zhao, and W. fai Wong. Transparent runtime shadow stack: Protection against malicious return address modifications. http://citeseerx.ist.psu.edu/viewdoc/download? doi=10.1.1.120.5702&rep=rep1&type=pdf, 2008.
47. L. Szekeres, M. Payer, T. Wei, and D. Song. SoK: Eternal war in memory. In IEEE S&P, 2013.
48. C. Tice, T. Roeder, P. Collingbourne, S. Checkoway,-U. Erlingsson, L. Lozano, and G. Pike. Enforcing forward-edge control-ow integrity in gcc & llvm. In USENIX Security, 2014.
49. Vendicator. Stack Shield. http://www.angelfire.com/sk/stackshield/info.html, 2000.
50. P. Wagle and C. Cowan. Stackguard: Simple stack smash protection for gcc. In GCC Developers Summit, 2003.
51. R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Eficient software-based fault isolation. In SOSP, 1993.
52. J. Xu, Z. Kalbarczyk, S. Patel, and R. K. Iyer. Architecture support for defending against buér overow attacks. In Workshop on Evaluating and Architecting Systems for Dependability, 2002.
53. C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control ow integrity and randomization for binary executables. In IEEE S&P, 2013.
54. M. Zhang, R. Qiao, N. Hasabnis, and R. Sekar. A platform for secure static binary instrumentation. In VEE, 2014.
55. M. Zhang and R. Sekar. Control Flow Integrity for COTS Binaries. In USENIX Security, 2013.