ShadowCallStack
Introduction
ShadowCallStack is an instrumentation pass, currently only implemented for aarch64, that protects programs against return address overwrites (e.g. stack buffer overflows.) It works by saving a function's return address to a separately allocated 'shadow call stack' in the function prolog in non-leaf functions and loading the return address from the shadow call stack in the function epilog. The return address is also stored on the regular stack for compatibility with unwinders, but is otherwise unused.
The aarch64 implementation is considered production ready, and an implementation of the runtime has been added to Android's libc (bionic). An x86_64 implementation was evaluated using Chromium and was found to have critical performance and security deficiencies--it was removed in LLVM 9.0. Details on the x86_64 implementation can be found in the Clang 7.0.1 documentation.
Comparison
To optimize for memory consumption and cache locality, the shadow call stack stores only an array of return addresses. This is in contrast to other schemes, like :doc:`SafeStack`, that mirror the entire stack and trade-off consuming more memory for shorter function prologs and epilogs with fewer memory accesses.
Return Flow Guard is a pure software implementation of shadow call stacks on x86_64. Like the previous implementation of ShadowCallStack on x86_64, it is inherently racy due to the architecture's use of the stack for calls and returns.
Intel Control-flow Enforcement Technology (CET) is a proposed hardware extension that would add native support to use a shadow stack to store/check return addresses at call/return time. Being a hardware implementation, it would not suffer from race conditions and would not incur the overhead of function instrumentation, but it does require operating system support.
Compatibility
A runtime is not provided in compiler-rt so one must be provided by the compiled application or the operating system. Integrating the runtime into the operating system should be preferred since otherwise all thread creation and destruction would need to be intercepted by the application.
The instrumentation makes use of the platform register x18
. On some
platforms, x18
is reserved, and on others, it is designated as a scratch
register. This generally means that any code that may run on the same thread
as code compiled with ShadowCallStack must either target one of the platforms
whose ABI reserves x18
(currently Android, Darwin, Fuchsia and Windows)
or be compiled with the flag -ffixed-x18
. If absolutely necessary, code
compiled without -ffixed-x18
may be run on the same thread as code that
uses ShadowCallStack by saving the register value temporarily on the stack
(example in Android) but this should be done with care since it risks
leaking the shadow call stack address.
Because of the use of register x18
, the ShadowCallStack feature is
incompatible with any other feature that may use x18
. However, there
is no inherent reason why ShadowCallStack needs to use register x18
specifically; in principle, a platform could choose to reserve and use another
register for ShadowCallStack, but this would be incompatible with the AAPCS64.
Special unwind information is required on functions that are compiled
with ShadowCallStack and that may be unwound, i.e. functions compiled with
-fexceptions
(which is the default in C++). Some unwinders (such as the
libgcc 4.9 unwinder) do not understand this unwind info and will segfault
when encountering it. LLVM libunwind processes this unwind info correctly,
however. This means that if exceptions are used together with ShadowCallStack,
the program must use a compatible unwinder.
Security
ShadowCallStack is intended to be a stronger alternative to
-fstack-protector
. It protects from non-linear overflows and arbitrary
memory writes to the return address slot.
The instrumentation makes use of the x18
register to reference the shadow
call stack, meaning that references to the shadow call stack do not have
to be stored in memory. This makes it possible to implement a runtime that
avoids exposing the address of the shadow call stack to attackers that can
read arbitrary memory. However, attackers could still try to exploit side
channels exposed by the operating system [1] [2] or processor [3]
to discover the address of the shadow call stack.
Unless care is taken when allocating the shadow call stack, it may be
possible for an attacker to guess its address using the addresses of
other allocations. Therefore, the address should be chosen to make this
difficult. One way to do this is to allocate a large guard region without
read/write permissions, randomly select a small region within it to be
used as the address of the shadow call stack and mark only that region as
read/write. This also mitigates somewhat against processor side channels.
The intent is that the Android runtime will do this, but the platform will
first need to be changed to avoid using setrlimit(RLIMIT_AS)
to limit
memory allocations in certain processes, as this also limits the number of
guard regions that can be allocated.
The runtime will need the address of the shadow call stack in order to
deallocate it when destroying the thread. If the entire program is compiled
with -ffixed-x18
, this is trivial: the address can be derived from the
value stored in x18
(e.g. by masking out the lower bits). If a guard
region is used, the address of the start of the guard region could then be
stored at the start of the shadow call stack itself. But if it is possible
for code compiled without -ffixed-x18
to run on a thread managed by the
runtime, which is the case on Android for example, the address must be stored
somewhere else instead. On Android we store the address of the start of the
guard region in TLS and deallocate the entire guard region including the
shadow call stack at thread exit. This is considered acceptable given that
the address of the start of the guard region is already somewhat guessable.
One way in which the address of the shadow call stack could leak is in the
jmp_buf
data structure used by setjmp
and longjmp
. The Android
runtime avoids this by only storing the low bits of x18
in the
jmp_buf
, which requires the address of the shadow call stack to be
aligned to its size.
The architecture's call and return instructions (bl
and ret
) operate on
a register rather than the stack, which means that leaf functions are generally
protected from return address overwrites even without ShadowCallStack.
Usage
To enable ShadowCallStack, just pass the -fsanitize=shadow-call-stack
flag to both compile and link command lines. On aarch64, you also need to pass
-ffixed-x18
unless your target already reserves x18
.
Low-level API
__has_feature(shadow_call_stack)
In some cases one may need to execute different code depending on whether
ShadowCallStack is enabled. The macro __has_feature(shadow_call_stack)
can
be used for this purpose.
#if defined(__has_feature)
# if __has_feature(shadow_call_stack)
// code that builds only under ShadowCallStack
# endif
#endif
__attribute__((no_sanitize("shadow-call-stack")))
Use __attribute__((no_sanitize("shadow-call-stack")))
on a function
declaration to specify that the shadow call stack instrumentation should not be
applied to that function, even if enabled globally.
Example
The following example code:
int foo() {
return bar() + 1;
}
Generates the following aarch64 assembly when compiled with -O2
:
stp x29, x30, [sp, #-16]!
mov x29, sp
bl bar
add w0, w0, #1
ldp x29, x30, [sp], #16
ret
Adding -fsanitize=shadow-call-stack
would output the following assembly:
str x30, [x18], #8
stp x29, x30, [sp, #-16]!
mov x29, sp
bl bar
add w0, w0, #1
ldp x29, x30, [sp], #16
ldr x30, [x18, #-8]!
ret