DeepAI AI Chat
Log In Sign Up

PACStack: an Authenticated Call Stack

by   Hans Liljestrand, et al.

A popular run-time attack technique is to compromise the control-flow integrity of a program by modifying function return addresses on the stack. So far, shadow stacks have proven to be essential for comprehensively preventing return address manipulation. Shadow stacks record return addresses in integrity-protected memory, secured with hardware-assistance or software access control. Software shadow stacks incur high overheads or trade off security for efficiency. Hardware-assisted shadow stacks are efficient and secure, but require the deployment of special-purpose hardware. We present authenticated call stack (ACS), an approach that uses chained message authentication codes (MACs) to achieve comparable security without requiring additional hardware support. We present PACStack, a realization of ACS on the ARMv8.3-A architecture, using its general purpose hardware mechanism for pointer authentication (PA). Via a rigorous security analysis, we show that PACStack achieves security comparable to hardware-assisted shadow stacks without requiring dedicated hardware. We demonstrate that PACStack's performance overhead is negligible (<1


page 1

page 2

page 3

page 4


InversOS: Efficient Control-Flow Protection for AArch64 Applications with Privilege Inversion

With the increasing popularity of AArch64 processors in general-purpose ...

Zipper Stack: Shadow Stacks Without Shadow

Return-Oriented Programming (ROP) is a typical attack technique that can...

Shining Light On Shadow Stacks

Control-Flow Hijacking attacks are the dominant attack vector to comprom...

Trust Anchors in Software Defined Networks

Advances in software virtualization and network processing lead to incre...

HCIC: Hardware-assisted Control-flow Integrity Checking

Recently, code reuse attacks (CRAs), such as return-oriented programming...

PAC it up: Towards Pointer Integrity using ARM Pointer Authentication

Run-time attacks against programs written in memory-unsafe programming l...