52:, a function loads the return address from both the call stack and the shadow stack, and then compares them. If the two records of the return address differ, then an attack is detected; the typical course of action is simply to terminate the program or alert system administrators about a possible intrusion attempt. A shadow stack is similar to
67:
Shadow stacks can be implemented by recompiling programs with modified prologues and epilogues, by dynamic binary rewriting techniques to achieve the same effect, or with hardware support. Unlike the call stack, which also stores local program variables, passed arguments, spilled registers and other
97:
occurs, the return address at the top of the shadow stack will not match return address popped from the call stack. The typical solution for this problem is to pop entries from the shadow stack until a matching return address is found, and to only terminate the program when no match is found in the
71:
Shadow stacks provide more protection for return addresses than stack canaries, which rely on the secrecy of the canary value and are vulnerable to non-contiguous write attacks. Shadow stacks themselves can be protected with guard pages or with information hiding, such that an attacker would also
75:
Like stack canaries, shadow stacks do not protect stack data other than return addresses, and so offer incomplete protection against security vulnerabilities that result from
325:
105:
program, which would have a call stack for each executing thread, would then also have a shadow stack shadowing each of the call stacks.
301:
357:
61:
225:
352:
119:
53:
29:
60:
of the protected program by detecting attacks that tamper the stored return address by an attacker during an
57:
263:
33:
144:
Delshadtehrani, Leila; Eldridge, Schuyler; Canakci, Sadullah; Egele, Manuel; Joshi, Ajay (2018-01-01).
86:
announced upcoming hardware support for shadow stacks with their
Control-flow Enforcement Technology.
307:
284:
Chieuh, Tzi-cker; Hsu, Fu-Hau (2001). "RAD: A Compile-Time
Solution To Buffer Overflow Attacks".
102:
90:
332:
297:
167:
49:
45:
17:
204:"Transparent runtime shadow stack: Protection against malicious return address modifications"
289:
240:
157:
68:
data, the shadow stack typically just stores a second copy of a function's return address.
48:, a function stores its return address to both the call stack and the shadow stack. In the
124:
346:
259:
221:
185:
76:
37:
311:
226:"SmashGuard: A Hardware Solution To Prevent Attacks on the Function Return Address"
203:
293:
114:
41:
25:
171:
162:
145:
72:
need to locate the shadow stack to overwrite a return address stored there.
286:
Proceedings 21st
International Conference on Distributed Computing Systems
89:
Shadow stacks face some compatibility problems. After a program throws an
94:
244:
186:"StackShield: A "stack smashing" technique protection tool for Linux"
83:
36:. The shadow stack itself is a second, separate stack that "
202:
Sinnadurai, Saravanan; Zhao, Qin; Wong, Weng Fai (2008).
326:"Control-flow Enforcement Technology Preview"
146:"Nile: A Programmable Monitoring Coprocessor"
8:
56:in that both mechanisms aim to maintain the
161:
224:; Vijaykumar, T.; Kuperman, B. (2006).
197:
195:
136:
271:IEEE Symposium on Security and Privacy
7:
150:IEEE Computer Architecture Letters
14:
24:is a mechanism for protecting a
262:; Wei, Tao; Song, Dawn (2003).
233:IEEE Transactions on Computers
1:
264:"SoK: Eternal War in Memory"
374:
294:10.1109/ICDSC.2001.918971
163:10.1109/LCA.2017.2784416
358:Control flow integrity
58:control-flow integrity
34:stack buffer overflow
288:. pp. 409–417.
245:10.1109/TC.2006.166
258:Szekeres, Laszlo;
353:Computer security
333:Intel Corporation
239:(10): 1271–1285.
220:Ozdoganoglu, H.;
50:function epilogue
46:function prologue
32:, such as from a
18:computer security
365:
337:
336:
330:
322:
316:
315:
281:
275:
274:
268:
255:
249:
248:
230:
217:
211:
210:
208:
199:
190:
189:
182:
176:
175:
165:
141:
373:
372:
368:
367:
366:
364:
363:
362:
343:
342:
341:
340:
328:
324:
323:
319:
304:
283:
282:
278:
266:
257:
256:
252:
228:
219:
218:
214:
206:
201:
200:
193:
184:
183:
179:
143:
142:
138:
133:
125:Buffer overflow
111:
12:
11:
5:
371:
369:
361:
360:
355:
345:
344:
339:
338:
317:
302:
276:
260:Payer, Mathias
250:
212:
191:
177:
135:
134:
132:
129:
128:
127:
122:
120:Return address
117:
110:
107:
98:shadow stack.
54:stack canaries
40:" the program
30:return address
13:
10:
9:
6:
4:
3:
2:
370:
359:
356:
354:
351:
350:
348:
334:
327:
321:
318:
313:
309:
305:
303:0-7695-1077-9
299:
295:
291:
287:
280:
277:
272:
265:
261:
254:
251:
246:
242:
238:
234:
227:
223:
216:
213:
205:
198:
196:
192:
188:. Vendicator.
187:
181:
178:
173:
169:
164:
159:
155:
151:
147:
140:
137:
130:
126:
123:
121:
118:
116:
113:
112:
108:
106:
104:
103:multithreaded
99:
96:
92:
87:
85:
80:
78:
77:memory safety
73:
69:
65:
63:
59:
55:
51:
47:
43:
39:
35:
31:
27:
23:
19:
320:
285:
279:
270:
253:
236:
232:
215:
180:
156:(1): 92–95.
153:
149:
139:
100:
88:
81:
74:
70:
66:
62:exploitation
22:shadow stack
21:
15:
222:Brodley, C.
347:Categories
131:References
115:Call stack
42:call stack
28:'s stored
172:1556-6056
91:exception
82:In 2016,
64:attempt.
44:. In the
26:procedure
312:32026510
273:: 48–63.
109:See also
79:errors.
95:longjmp
38:shadows
310:
300:
170:
329:(PDF)
308:S2CID
267:(PDF)
229:(PDF)
207:(PDF)
93:or a
84:Intel
298:ISBN
168:ISSN
20:, a
290:doi
241:doi
158:doi
16:In
349::
331:.
306:.
296:.
269:.
237:55
235:.
231:.
194:^
166:.
154:17
152:.
148:.
101:A
335:.
314:.
292::
247:.
243::
209:.
174:.
160::
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.