Zipper Stack: Shadow Stacks Without Shadow
share
Return-Oriented Programming (ROP) is a typical attack technique that can exploit return addresses to repeatedly abuse existing codes ending with return instructions. Most of the current return address protecting mechanisms (also known as the Backward-Edge Control-Flow Integrity) can work only in limited threat models. For example, the attacker cannot control the whole memory, or the attacker have no knowledge of a secret key or random values. This paper presents a novel, lightweight mechanism protecting return addresses, Zipper Stack, which hashes all return addresses by a chain structure. This innovative design can defend against the most powerful attackers who have full control over the program's memory and even know the secret key of the hash function. This threat model is stronger than them in the relevant works. At the same time, it produces very low performance overhead. We implemented Zipper Stack by extending the RISC-V instruction set architecture and the evaluation shows that the performance overhead of Zipper Stack is only 1.86 lightweight nature of Zipper Stack makes it practicable for deployment with minimal modifications on the system. We only need two registers and a hash module, no need to make any changes to the memory allocation and page attributes. Thus, we think Zipper Stack is suitable for actual deployment.
READ FULL TEXT