Protecting computing systems against cyberattacks should be put high on the
agenda. For example, Colonial Pipeline, an American oil pipeline system, suffered
a cyberattack that impacted its computerized equipment managing the pipeline,
leading to a state of emergency declared by President Joe Biden in May, 2021.
As reported by Microsoft Security Response Center, attackers are unanimously
corrupting the stack and most Control Flow Guard (CFG) improvements will provide
little value-add until stack protection loads. Shadow stacks play an important
role in protecting backward edges (return addresses on the call stack) to mitigate
Return-Oriented Programming (ROP) attacks. Control-Flow Integrity (CFI) techniques
often focus on protecting forward edges (indirect calls via function pointers
and virtual calls) and assume that backward edges are protected by shadow stacks.
However, the cruel reality is that shadow stacks are still not widely deployed due
to compatibility, performance or security deficiencies. In this thesis, we propose
three novel techniques for protecting return addresses.
First, by adding one level of indirection, we introduce BarRA, the first shadow
stack mechanism that applies continuous runtime re-randomization to abstract return
addresses for protecting their corresponding concrete return addresses (also
protected by CFI) for single-threaded programs, thus avoiding expensive pointer
tracking. As a nice side-effect, BarRA naturally combines the shadow stack, CFI
and runtime re-randomization in the same framework.
Second, without reserving any dedicated register, we propose a novel threadlocal
storage mechanism, STK-TLS, that is both efficient and free of compatibility
issues. We also present a new microsecond-level runtime re-randomization technique
(without relying on information hiding or MMU), STK-MSR, to mitigate
information disclosure attacks and protect the shadow stack with 64-bit entropy.
Based on STK-TLS and STK-MSR, we have implemented a novel stack layout
(referred to as Bustk), that is highly performant, compatible with existing code,
and provides meaningful security for single- and multi-threaded server programs.
Third, by fast-moving safe regions in the large 47-bit user space (based on
MMU), we design a practical shadow stack, FlashStack, for protecting return
addresses in single- and multi-threaded programs (including browsers) running under
64-bit Linux on x86-64. FlashStack introduces a novel lightweight instrumentation
mechanism, a continuous shuffling scheme for the shadow stack in user
space, and a new dual-prologue approach for a protected function to mitigate the
TOCTTOU attacks (constructed by Microsoft s red team), information disclosure
attacks, and crash-resistant probing attacks