computer security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...

, a shadow stack is a mechanism for protecting a procedure's stored

return address In postal mail, a return address is an explicit inclusion of the address of the person sending the message. It provides the recipient (and sometimes authorized intermediaries) with a means to determine how to respond to the sender of the message ...

, such as from a

stack buffer overflow In software, a stack buffer overflow or stack buffer overrun occurs when a program writes to a memory address on the program's call stack outside of the intended data structure, which is usually a fixed-length buffer. Stack buffer overflow bugs ...

. The shadow stack itself is a second, separate stack that "

shadows A shadow is a dark area on a surface where light from a light source is blocked by an object. In contrast, shade occupies the three-dimensional volume behind an object with light in front of it. The cross-section of a shadow is a two-dimensiona ...

" the program

call stack In computer science, a call stack is a Stack (abstract data type), stack data structure that stores information about the active subroutines and block (programming), inline blocks of a computer program. This type of stack is also known as an exe ...

. In the

function prologue In assembly language programming, the function prologue is a few lines of code at the beginning of a function, which prepare the stack and registers for use within the function. Similarly, the function epilogue appears at the end of the function ...

, a function stores its return address to both the call stack and the shadow stack. In the

function epilogue In assembly language programming, the function prologue is a few lines of code at the beginning of a function, which prepare the stack and registers for use within the function. Similarly, the function epilogue appears at the end of the function, ...

, a function loads the return address from both the call stack and the shadow stack, and then compares them. If the two records of the return address differ, then an attack is detected; the typical course of action is simply to terminate the program or alert system administrators about a possible intrusion attempt. A shadow stack is similar to stack canaries in that both mechanisms aim to maintain the

control-flow integrity Control-flow integrity (CFI) is a general term for computer security techniques that prevent a wide variety of malware attacks from redirecting the flow of execution (the control flow) of a program. Background A computer program commonly changes ...

of the protected program by detecting attacks that tamper the stored return address by an attacker during an

exploitation Exploitation may refer to: *Exploitation of natural resources *Exploitation of Animals *Exploitation of labour **Forced labour *Exploitation colonialism *Slavery **Sexual slavery and other forms *Oppression *Psychological manipulation In arts an ...

attempt. Shadow stacks can be implemented by recompiling programs with modified prologues and epilogues, by dynamic binary rewriting techniques to achieve the same effect, or with hardware support. Unlike the call stack, which also stores local program variables, passed arguments, spilled registers and other data, the shadow stack typically just stores a second copy of a function's return address. Shadow stacks provide more protection for return addresses than stack canaries, which rely on the secrecy of the canary value and are vulnerable to non-contiguous write attacks. Shadow stacks themselves can be protected with guard pages or with information hiding, such that an attacker would also need to locate the shadow stack to overwrite a return address stored there. Like stack canaries, shadow stacks do not protect stack data other than return addresses, and so offer incomplete protection against security vulnerabilities that result from

memory safety Memory safety is the state of being protected from various software bugs and security vulnerabilities when dealing with memory access, such as buffer overflows and dangling pointers. For example, Java is said to be memory-safe because its ru ...

errors. In 2016,

Intel Intel Corporation is an American multinational corporation and technology company headquartered in Santa Clara, California, and Delaware General Corporation Law, incorporated in Delaware. Intel designs, manufactures, and sells computer compo ...

announced upcoming hardware support for shadow stacks with their Control-flow Enforcement Technology. Shadow stacks face some compatibility problems. After a program throws an exception or a

longjmp setjmp.h is a header defined in the C standard library to provide "non-local jumps": control flow that deviates from the usual subroutine call and return sequence. The complementary functions setjmp and longjmp provide this functionality. A t ...

occurs, the return address at the top of the shadow stack will not match return address popped from the call stack. The typical solution for this problem is to pop entries from the shadow stack until a matching return address is found, and to only terminate the program when no match is found in the shadow stack. A multithreaded program, which would have a call stack for each executing thread, would then also have a shadow stack shadowing each of the call stacks.

References

{{reflist, refs= {{cite web , url=https://www.angelfire.com/sk/stackshield/info.html , title=StackShield: A "stack smashing" technique protection tool for Linux , publisher=Vendicator {{cite web, author-last1=Sinnadurai , author-first1=Saravanan , author-last2=Zhao , author-first2=Qin , author-last3=Wong , author-first3=Weng Fai , title=Transparent runtime shadow stack: Protection against malicious return address modifications , date=2008 , url=http://www.iscs.nus.edu.sg/~saravan1/truss.pdf {{cite journal , author-last1=Ozdoganoglu , author-first1=H. , author-last2=Brodley , author-first2=C. , author2-link=Carla Brodley, author-last3=Vijaykumar , author-first3=T. , author-last4=Kuperman , author-first4=B. , title=SmashGuard: A Hardware Solution To Prevent Attacks on the Function Return Address , journal= IEEE Transactions on Computers , volume = 55 , number = 10 , pages = 1271–1285 , date=2006 , doi = 10.1109/TC.2006.166 , url=https://engineering.purdue.edu/ResearchGroups/SmashGuard/SmashGuard_TR1_Dec02.pdf {{cite journal , author-last1=Szekeres , author-first1=Laszlo , author-last2=Payer , author-first2=Mathias , authorlink2=Mathias Payer, author-last3=Wei , author-first3=Tao , author-last4=Song , journal = IEEE Symposium on Security and Privacy , pages = 48–63 , year = 2003 , author-first4=Dawn , title=SoK: Eternal War in Memory , url=https://people.eecs.berkeley.edu/~dawnsong/papers/Oakland13-SoK-CR.pdf {{cite book , author-last1=Chieuh , author-first1=Tzi-cker , author-last2=Hsu , author-first2=Fu-Hau , title=Proceedings 21st International Conference on Distributed Computing Systems , chapter=RAD: A Compile-Time Solution To Buffer Overflow Attacks , pages=409–417 , doi=10.1109/ICDSC.2001.918971 , isbn=0-7695-1077-9 , year=2001 , s2cid=32026510 {{cite web , title=Control-flow Enforcement Technology Preview , url=https://www.intel.com/content/dam/develop/external/us/en/documents/catc17-introduction-intel-cet-844137.pdf , publisher=

Intel Corporation Intel Corporation is an American multinational corporation and technology company headquartered in Santa Clara, California, and incorporated in Delaware. Intel designs, manufactures, and sells computer components such as central processing ...

Control flow integrity Cybersecurity engineering

See also

References