research-article

Protecting the stack with PACed canaries

Authors:

Hans Liljestrand,

Jan-Erik Ekberg,

N. AsokanAuthors Info & Claims

SysTEX '19: Proceedings of the 4th Workshop on System Software for Trusted Execution

Article No.: 4, Pages 1 - 6

https://doi.org/10.1145/3342559.3365336

Published: 27 October 2019 Publication History

Abstract

Stack canaries remain a widely deployed defense against memory corruption attacks. Despite their practical usefulness, canaries are vulnerable to memory disclosure and brute-forcing attacks. We propose PCan, a new approach based on ARMv8.3-A pointer authentication (PA), that uses dynamically-generated canaries to mitigate these weaknesses and show that it provides more fine-grained protection with minimal performance overhead.

References

[1]

ARM Ltd. 2017. ARMv8 Architecture Reference Manual, for ARMv8-A architecture profile (ARM DDI 0487C.a). https://static.docs.arm.com/ddi0487/ca/DDI0487C_a_armv8_arm.pdf.

[2]

Crispin Cowan et al. 1998. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proc. USENIX Security'98. 63--78.

[3]

Crispin Cowan et al. 1999. Protecting systems from stack smashing attacks with StackGuard. Linux Expo (1999).

[4]

Hiroaki Etoh and Kunikazu Yoda. 2000. Protecting from stack-smashing attacks. Technical Report. IBM Research Division, Tokyo Research Laboratory.

[5]

William H Hawkins et al. 2016. Dynamic canary randomization for improved software security. In Proc. ACM CISR '16. 9:1--9:7.

[6]

Hong Hu et al. 2016. Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks. In Proc. IEEE S&P '16. 969--986.

[7]

Hans Liljestrand et al. 2019. Authenticated Call Stack. In Proc. ACM/EDAC/IEEE DAC'19. Article 223.

[8]

Hans Liljestrand et al. 2019. PAC it up: towards pointer integrity using ARM pointer authentication. In Proc. USENIX Security '19. 177--194.

[9]

David Litchfield. 2003. Defeating the stack based buffer overflow preventation mechanism of Microsoft Windows 2003 Server. In Black Hat Asia '03.

[10]

Hector Marco-Gisbert and Ismael Ripoll. 2013. Preventing brute force attacks against stack canary protection on networking servers. In Proc. IEEE NCA '13. 243--250.

[11]

Nick Nikiforakis et al. 2013. HeapSentry: kernel-assisted protection against heap overflows. In Proc. DIMVA 13'. 177--196.

[12]

Elias Levy (Aleph One). 1996. Smashing the stack for fun and profit. Phrack 7, 19 (1996). http://phrack.org/issues/49/14.html

[13]

Theofilos Petsios et al. 2015. Dynaguard: Armoring canary-based protections against brute-force attacks. In Proc. ACM ACSAC '15. 351--360.

[14]

Qualcomm. 2017. Pointer Authentication on ARMv8.3. https://www.qualcomm.com/media/documents/files/whitepaper-pointer-authentication-on-armv8-3.pdf.

[15]

William K Robertson et al. 2003. Run-time detection of heap-based overflows. In Proc. USENIX LISA '03. 51--60.

[16]

Hovav Shacham. 2007. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proc. ACM CCS '07. 552--561.

Digital Library

[17]

Solar Designer. 1997. lpr LIBC RETURN exploit. http://insecure.org/sploits/linux.libc.return.lpr.sploit.html

[18]

Raoul Strackx et al. 2009. Breaking the memory secrecy assumption. In Proc. ACM EuroSec '09. 1--8.

[19]

László Szekeres et al. 2013. SoK: Eternal war in memory. In Proc. IEEE S&P '13. 48--62.

[20]

Zhilong Wang et al. 2018. To detect stack buffer overflow with polymorphic canaries. In Proc. IEEE/IFIP DSN '18. IEEE, 243--254.

Cited By

Hager-Clukas AHohentanner KQuek TGao DZhou JCardenas A(2024)DMTI: Accelerating Memory Error Detection in Precompiled C/C++ Binaries with ARM Memory Tagging ExtensionProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637655(1173-1185)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637655
Yang YTu JShen WZhu SChang RZhou Y(2024)kCPA: Towards Sensitive Pointer Full Life Cycle Authentication for OS KernelsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.333426821:4(3768-3784)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3334268
Lehniger KRaghunathan SLangendörfer P(2024)WindowGuardian: Return Address Integrity for ESP32 Microcontrollers with Xtensa Processors using AES and Register Windows2024 13th Mediterranean Conference on Embedded Computing (MECO)10.1109/MECO62516.2024.10577840(1-8)Online publication date: 11-Jun-2024
https://doi.org/10.1109/MECO62516.2024.10577840
Show More Cited By

Index Terms

Protecting the stack with PACed canaries
1. Security and privacy
  1. Security in hardware
    1. Embedded systems security

Recommendations

The Performance Cost of Shadow Stacks and Stack Canaries
ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security

Control flow defenses against ROP either use strict, expensive, but strong protection against redirected RET instructions with shadow stacks, or much faster but weaker protections without. In this work we study the inherent overheads of shadow stack ...
Protecting BitTorrent: Design and Evaluation of Effective Countermeasures against DoS Attacks
SRDS '08: Proceedings of the 2008 Symposium on Reliable Distributed Systems

BitTorrent is a P2P file-sharing protocol that can be used to efficiently distribute files such as software updates and digital content to very large numbers of users. In a previous paper, we have shown that vulnerabilities can be exploited to launch ...
Smokestack: thwarting DOP attacks with runtime stack layout randomization
CGO 2019: Proceedings of the 2019 IEEE/ACM International Symposium on Code Generation and Optimization

Memory corruption vulnerabilities in type-unsafe languages are often exploited to perform a control-flow hijacking attack, in which an attacker uses vulnerabilities to corrupt control data in the program to eventually gain control over the execution of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

SysTEX '19: Proceedings of the 4th Workshop on System Software for Trusted Execution

October 2019

42 pages

ISBN:9781450368889

DOI:10.1145/3342559

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Academy of Finland

Conference

SOSP '19

SOSP '19: ACM SIGOPS 27th Symposium on Operating Systems Principles

October 27, 2019

Ontario, Huntsville, Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
354
Total Downloads

Downloads (Last 12 months)20
Downloads (Last 6 weeks)1

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Hager-Clukas AHohentanner KQuek TGao DZhou JCardenas A(2024)DMTI: Accelerating Memory Error Detection in Precompiled C/C++ Binaries with ARM Memory Tagging ExtensionProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637655(1173-1185)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637655
Yang YTu JShen WZhu SChang RZhou Y(2024)kCPA: Towards Sensitive Pointer Full Life Cycle Authentication for OS KernelsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.333426821:4(3768-3784)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3334268
Lehniger KRaghunathan SLangendörfer P(2024)WindowGuardian: Return Address Integrity for ESP32 Microcontrollers with Xtensa Processors using AES and Register Windows2024 13th Mediterranean Conference on Embedded Computing (MECO)10.1109/MECO62516.2024.10577840(1-8)Online publication date: 11-Jun-2024
https://doi.org/10.1109/MECO62516.2024.10577840
Wang RXu MAsokan N(2024)S2malloc: Statistically Secure Allocator for Use-After-Free Protection and MoreDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-64171-8_2(23-43)Online publication date: 17-Jul-2024
https://dl.acm.org/doi/10.1007/978-3-031-64171-8_2
Cao C(2023)Parity Shadow Stack: Dynamic Instrumentation based Control Flow Security for IoT Devices2023 IEEE International Performance, Computing, and Communications Conference (IPCCC)10.1109/IPCCC59175.2023.10253861(357-364)Online publication date: 17-Nov-2023
https://doi.org/10.1109/IPCCC59175.2023.10253861
Lee SKang HJang JKang B(2022)SaVioR: Thwarting Stack-Based Memory Safety Violations by Randomizing Stack LayoutIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.306384319:4(2559-2575)Online publication date: 1-Jul-2022
https://doi.org/10.1109/TDSC.2021.3063843
Fanti AChinea Perez CDenis-Courmont RRoascio GEkberg J(2022)Toward Register Spilling Security Using LLVM and ARM Pointer AuthenticationIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2022.319751141:11(3757-3766)Online publication date: Nov-2022
https://doi.org/10.1109/TCAD.2022.3197511
Lefebvre VSantinelli G(2022)Always-Sustainable Software Security2022 IEEE 8th International Conference on Network Softwarization (NetSoft)10.1109/NetSoft54395.2022.9844077(480-485)Online publication date: 27-Jun-2022
https://doi.org/10.1109/NetSoft54395.2022.9844077
Novkovic B(2021)A Taxonomy of Defenses against Memory Corruption Attacks2021 44th International Convention on Information, Communication and Electronic Technology (MIPRO)10.23919/MIPRO52101.2021.9596951(1196-1201)Online publication date: 27-Sep-2021
https://doi.org/10.23919/MIPRO52101.2021.9596951
Zhang LChen QYan F(2021)A Security Enhanced Key Management Service for ARM Pointer AuthenticationApplied Cryptography in Computer and Communications10.1007/978-3-030-80851-8_4(41-55)Online publication date: 5-Jul-2021
https://doi.org/10.1007/978-3-030-80851-8_4

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents