Return Oriented Programming (ROP) is a malware technique that takes advantage of a memory write vulnerability to populate the stack with synthesized return addresses, each of which points to a code fragment (known as a gadget<\/i>) that executes a few instructions before performing a return instruction. The idea is that an attacker can gain arbitrary code execution by cobbling together these small sequences of instructions into a larger operation.<\/p>\n
A common defense against ROP techniques is to use some form of return address protection by confirming that the return address that is about to be used matches the return address received at the start of the function. In the case of a ROP, the synthesized return addresses do not correspond to any call, and this gives the system an opportunity to detect that something bad has happened.<\/p>\n
We saw some time ago that the AArch64 architecture contains hardware support for return address validation<\/a> through the use of the pacibsp<\/tt> and autibsp<\/tt> pair of instruction which sign a return address and validate the signature, respectively.<\/p>\n Another approach is to use a shadow stack<\/i>, which is another stack in memory into which copies of the original return addresses are recorded, and against which those return addresses are validated before being used.<\/p>\n There are two common patterns for shadow stacks, known as parallel shadow stacks<\/i> and compact shadow stacks<\/i>.<\/p>\n The compact shadow stack<\/i> reserves another register to be used as a shadow stack pointer. For example, you might do this:<\/p>\n This is called a compact shadow stack because all the return addresses are stored in contiguous memory. The amount of memory required for the shadow stack is By comparison the parallel shadow stack<\/i> allocates a block of memory the same size as the CPU stack, and there is a buddy system between each byte of the CPU stack and each byte of the shadow stack. Access to the shadow stack is usually mediated by an otherwise-unused selector.<\/p>\n This is called a parallel shadow stack because the two stacks run parallel to each other.<\/p>\n Here’s a table of pros and cons:<\/p>\n Although both the compact and parallel stacks require a new dedicated register, the compact stack takes the register from the general purpose registers, which makes it unavailable for code generation. The parallel stack uses a selector that would otherwise go unused.<\/p>\n; function entry with return address on CPU stack\r\n; assume r15 is the shadow stack pointer\r\n\r\n ; retrieve return address\r\n mov rax, [rsp]\r\n\r\n ; push onto shadow stack\r\n mov [r15-8], rax\r\n lea r15, [r15-8]\r\n\r\n \u27e6 main function body goes here \u27e7\r\n\r\n ; before returning, pop the return address\r\n ; from the shadow stack\r\n mov r11, [r15]\r\n lea r15, [r15+8]\r\n\r\n ; and check that it matches the CPU stack\r\n cmp r11, [rsp]\r\n jnz fatal\r\n\r\n ret\r\n<\/pre>\n
sizeof(address)<\/code> \u00d7 call depth.<\/p>\n\n\n
\n CPU stack<\/td>\n \u00a0<\/td>\n shadow stack<\/td>\n<\/tr>\n \n \u22ee<\/td>\n <\/td>\n \u22ee<\/td>\n<\/tr>\n \n retaddr1<\/td>\n <\/td>\n retaddr1<\/td>\n<\/tr>\n \n local var<\/td>\n <\/td>\n retaddr2<\/td>\n<\/tr>\n \n local var<\/td>\n <\/td>\n retaddr3<\/td>\n \u2190 r15<\/td>\n<\/tr>\n \n retaddr2<\/td>\n <\/td>\n <\/td>\n<\/tr>\n \n local var<\/td>\n <\/td>\n <\/td>\n<\/tr>\n \n local var<\/td>\n <\/td>\n <\/td>\n<\/tr>\n \n local var<\/td>\n <\/td>\n <\/td>\n<\/tr>\n \n retaddr3<\/td>\n <\/td>\n <\/td>\n<\/tr>\n \n local var<\/td>\n <\/td>\n <\/td>\n<\/tr>\n \n local var<\/td>\n \u2190 rsp<\/td>\n <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n ; function entry with return address on CPU stack\r\n; assume fs has a base address equal to the distance\r\n; between the CPU stack and the shadow stack\r\n\r\n ; retrieve return address\r\n mov rax, [rsp]\r\n\r\n ; copy to shadow stack\r\n mov fs:[rsp], rax\r\n\r\n \u27e6 main function body goes here \u27e7\r\n\r\n ; before returning, compare the return address\r\n ; to the shadow stack\r\n mov r11, fs:[rsp]\r\n cmp r11, [rsp]\r\n jnz fatal\r\n\r\n ret\r\n<\/pre>\n
\n\n
\n CPU stack<\/td>\n \u00a0<\/td>\n shadow stack<\/td>\n<\/tr>\n \n \u22ee<\/td>\n <\/td>\n \u22ee<\/td>\n<\/tr>\n \n retaddr1<\/td>\n <\/td>\n retaddr1<\/td>\n<\/tr>\n \n local var<\/td>\n <\/td>\n \u00a0<\/td>\n<\/tr>\n \n local var<\/td>\n <\/td>\n \u00a0<\/td>\n<\/tr>\n \n retaddr2<\/td>\n <\/td>\n retaddr2<\/td>\n<\/tr>\n \n local var<\/td>\n <\/td>\n \u00a0<\/td>\n<\/tr>\n \n local var<\/td>\n <\/td>\n \u00a0<\/td>\n<\/tr>\n \n local var<\/td>\n <\/td>\n \u00a0<\/td>\n<\/tr>\n \n retaddr3<\/td>\n <\/td>\n retaddr3<\/td>\n<\/tr>\n \n local var<\/td>\n <\/td>\n \u00a0<\/td>\n<\/tr>\n \n local var<\/td>\n \u2190 rsp<\/td>\n \u00a0<\/td>\n \u2190 fs:rsp<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n \n\n
\n \u00a0<\/th>\n Compact<\/th>\n Parallel<\/th>\n<\/tr>\n \n Code size<\/td>\n Larger<\/td>\n Smaller<\/td>\n<\/tr>\n \n Memory consumption<\/td>\n Smaller<\/td>\n Larger<\/td>\n<\/tr>\n \n Register pressure<\/td>\n Greater<\/td>\n Smaller<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n