Defending Against Code-Reuse Attacks By Stack Protection

In code-reuse attacks, the adversary tampers the normal stack and exploits software vulnerabilities to hijack the control flow. Before execution of reused code fragments that already exist, the adversary needs to pivot the stack pointer to a fake call stack. By protecting the normal stack, the essential step in code-reuse attacks could be thwarted. Hence the thesis utilizes the shadow stack to provide backward control flow integrity and meanwhile detects and prevents illegal stack pivoting, which defend against code-reuse attacks together.The main work is as follows:(1) The problems with existing shadow stack implementations are analyzed. A shadow stack stores the return address whenever a function call occurs, which provides backward CFI protection. But existing shadow stack schemes only apply to single-threaded programs rather than the ones of multi-threads and need to manually modify the source code. Moreover they face the threat of leakage and sabotage of the shadow stack.(2) Given the source code of a program, we improve existing shadow stack implementations. Through thread hijacking and compile-time instrumentation, the new shadow stack implementation keeps the source code intact and applies to multi-threaded programs. Also we utilize Thread Local Storage to hide the location of shadow stack, therefore preventing the shadow stack from leakage and tampering. A prototype called Hardened Shadow Stack (HSS) is designed and implemented. The effectiveness of HSS is validated and the performance cost is around 5.8%.(3) The problem with detecting stack pivoting is analyzed. In practical ROP attacks, there is a step called stack pivoting which moves the stack pointer from the stack region to a non-stack region like heap where the payload lies. Existing defenses only instrument at the beginning of critical functions associated with memory manipulation and assert that stack pointer is within the stack region of the current thread. But this could be bypassed when the payload which invokes the critical functions is pivoted back to the stack.(4) We redesign the points when stack pivoting will be checked. By instrumenting after instructions that will update the stack pointer, we prevent stack pivoting checking from being bypassed. The approach is implemented as a pass in LLVM and the performance cost is less than 1%.