Elsevier

Microelectronics Reliability

Volume 55, Issues 9–10, August–September 2015, Pages 2077-2081
Microelectronics Reliability

ShadowStack: A new approach for secure program execution

https://doi.org/10.1016/j.microrel.2015.07.021Get rights and content

Highlights

  • Recently, computer systems have been experiencing an increasing wave of attacks.

  • This implies in loss of privacy, financial and national security damages.

  • Integrity Checking (IC) emerged as a possible solution to protect computer systems.

  • ShadowStack is a promising IC technique based on a hardware-implemented watchdog.

Abstract

In recent years, computer systems belonging to large companies, governments as well as personal computers have been experiencing an increasing wave of attacks that disrupt their normal operation or leak sensitive data. This implies in loss of privacy, financial and national security damages. In this context, “computer security” is no longer an afterthought. Dynamic integrity checking has emerged as a possible solution to protect computer systems by thwarting various attacks. In this context, this paper presents ShadowStack, a new dynamic integrity checking technique based on a watchdog implemented in hardware. The watchdog observes specific instructions in the code being executed through the processor pipeline, compares them against reference values generated at runtime and in the event of detecting a tentative of intrusion, the pipeline is stalled and the instructions are not allowed to commit by flushing them from the pipe. The attack type is stack smashing buffer overflow. This threatening type is by far the most common found in the literature. Experimental results obtained throughout simulations demonstrate the technique's efficiency and the corresponding overheads incurred by the use of the proposed approach.

Introduction

The need to include security mechanisms in electronic devices has dramatically grown with the widespread use of such devices in our daily life. With the increasing interconnectivity among devices, attackers can now launch attacks remotely. Such attacks arrive as data over a regular communication channel and, once resident in the program memory, they trigger a pre-existing software flaw and transfer control to the attacker's malicious code. Software vulnerabilities have been the main cause of computer security incidents. Among these, buffer overflows are perhaps the most widely exploited type of vulnerability, accounting for approximately half the CERT advisories in recent years [1].

In this scenario, this paper presents a new hardware-based approach to detect stack smashing buffer overflow attack. This approach does not need application code recompilation or use of any kind of software (e.g., an OS) to manage memory usage. According to preliminary implementations, this approach guarantees 100% attack detection, while resulting in negligible area overhead and zero performance degradation (since the watchdog is fully independent from the processor and performs in parallel to the code execution).

Section snippets

Stack smashing buffer overflow attack

Buffer overflow attacks exploit a lack of bounds checking on the size of input being stored in a buffer array in memory. By writing data past the end of an allocated array, the attacker can make arbitrary changes to program state stored adjacent to the array. By far, the most common data structure to corrupt in this fashion is the stack, called a “stack smashing” or “buffer overflow” attack.

Many C programs have buffer overflow vulnerabilities, both because the C language lacks array bounds

The proposed approach: ShadowStack

The proposed approach is based on two specific structures: (a) the implementation of a watchdog in hardware and (b) on the reservation of a dedicated memory space that is used to store the return addresses of functions. In more detail, the ShadowStack approach works as follows:

  • every time a call (CALL) function is executed by the processor, the return address is stored in the original stack (typically a memory address or a dedicated register inside the processor) and in the ShadowStack; and

  • every

Experimental results

The watchdog was implemented on a LEON3 softcore processor [12]. LEON3 is a synthesizable VHDL model of a 32-bit 7-stage pipeline processor compliant with the SPARC V8 architecture. The model is highly configurable, and particularly suitable for system-on-a-chip (SOC) designs. The full source code is available under the GNU GPL license, allowing free and unlimited use for research and education. LEON3 is also available under a low-cost commercial license, allowing it to be used in any

Discussions

It is also worth discussing two important points: (a) the applicability of the proposed approach to different processor architectures and (b) the detection coverage of the watchdog:

  • (a)

    Concerning the first issue, yes, the approach is easily adapted to any kind of open-source soft-core processor, considered that the four signals described in Section 3 can be retrieved (“OpCode”, “annul”, “PC” and “jmp_addr”). Concerning COTS processors (for instance Intel, PowerPC and ARM), it is probably more

Final considerations

This paper presented ShadowStack, a new dynamic integrity checking technique based on a watchdog implemented in hardware. The watchdog observes specific instructions in the code being executed through the processor pipeline, compares them against reference values generated at runtime and in the event of detecting a tentative of intrusion, the pipeline is stalled and the instructions are not allowed to commit by flushing them from the pipe. The attack type treated in this work is stack smashing

Acknowledgments

This work has been supported in part by CNPq (National Science Foundation, Brazil) under contract no. 303701/2011-0 (PQ) and CAPES/PROSUP.

References (19)

  • CERT

    Vulnerability Notes Database

  • R.B. Lee et al.

    “Enlisting Hardware Architecture to Thwart Malicious Code Injection”, Security in Pervasive Computing 2003

    LNCS

    (2004)
  • A.K. Kanuparthi et al.

    A high-performance, low-overhead microarchitecture for secure program execution

  • A.K. Kanuparthi et al.

    Architecture support for dynamic integrity checking

    IEEE Transactions on Information Forensics and Security (TIFS)

    (Feb 2012)
  • C. Cowan et al.

    StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks

  • G.S. Kc et al.

    Countering code injection attacks with instruction-set randomization

  • Barton P. Miller et al.

    Fuzz revisited: a reexamination of the reliability of UNIX utilities and services

    Report

    (1995)
  • B.P. Miller et al.

    An empirical study of the reliability of UNIX utilities

    Commun. ACM

    (Dec. 1990)
  • M.A. Schuette et al.

    Processor control flow monitoring using signatured instruction streams

    IEEE Transactions on (Volume:C-36, Issue: 3)

    (March 1987)
There are more references available in the full text version of this article.

Cited by (0)

View full text
Copyright © 2015 Elsevier Ltd. All rights reserved.