x86_64上的影子堆栈实现
[英]Shadow stack implementation on x86_64
问题描述
In Control Flow Integrity , a protected shadow stack is implemented using x86 segments via LDT. 
在“ 控制流完整性”中 ,通过LDT使用x86段实现了受保护的影子堆栈。 But in x86_64 segmentation is disabled. 但是在x86_64中,分段是禁用的。 Is there any other mechanism available which can be used to implement a protected stack on x86_64? 还有其他可用的机制可用于在x86_64上实现受保护的堆栈吗?
Edit 编辑
Found a recent paper which describes several alternatives. 找到了最近的一篇论文 ,其中描述了几种选择。
1 个解决方案
解决方案1
2 已采纳 2018-03-22 16:33:11
I think the idea for 32-bit CFI is to set a limit on DS/ES/SS, and put the shadow stack outside that, so it can only be corrupted by instructions with a gs: segment override prefix. 我认为32位CFI的想法是在DS / ES / SS上设置一个限制,并将影子堆栈置于该限制之外 ,因此它只能被带有gs: segment得以覆盖前缀的指令所破坏。
This only works in compat mode (32-bit user-space) on x86-64, because CS/DS/ES/SS have fixed base=0 and no limit when the CPU is in long mode. 这仅适用于x86-64上的兼容模式(32位用户空间),因为CS / DS / ES / SS具有固定的base = 0,并且在CPU处于长模式时没有限制。
FS and GS can have a non-zero base even in long mode, but even if you could set a limit on those segments, it's the opposite of what you need. FS和GS即使在长模式下也可以具有非零基数,但是即使您可以在这些段上设置限制,也与您所需要的相反。 (That would protect regular memory from instructions with a gs prefix, instead of the other way around.) Fun fact: @MichaelPetch says most CPUs don't support a limit on those segments in long mode anyway. (这将保护常规内存免受带有gs前缀的指令的侵害,而不是采用其他方式。)有趣的事实: @MichaelPetch说,大多数CPU都不支持长模式下的那些段限制。
For the Linux x32 ABI (32-bit pointers in long mode), you could put the shadow stack outside the low 4GiB of virtual address space. 对于Linux x32 ABI (长模式下的32位指针),您可以将影子堆栈放在虚拟地址空间的低4GiB之外。 Normal compiler-generated code always takes care to truncate pointers to 32-bit. 普通的编译器生成的代码始终会小心地将指针截断为32位。 The current default code-gen strategy ( -maddress-mode=short ) is to use address-size prefixes on every instruction with a memory operand, except rsp , which is assumed to always be zero-extended. 当前的默认代码生成策略( -maddress-mode=short )是在每个带有内存操作数的指令上使用地址大小的前缀,但rsp除外,后者假定始终为零扩展。
This leads to a lot of wasted address-size prefixes , but it means that code compiled for x32 by current gcc will definitely truncate pointers to 32-bit, even when there's UB, making it impossible for compiler-generated code to load/store outside the low 4GiB of address space. 这导致大量浪费地址大小的前缀 ,但这意味着当前gcc为x32编译的代码肯定会截断指向32位的指针,即使存在UB也是如此,这使得编译器生成的代码无法在外部加载/存储地址空间的低4GiB。
I don't think long mode has any general way to make a region of virtual address space accessible only with some kind of special instruction, either a prefix or something else. 我认为长模式没有任何通用方法可以使虚拟地址空间的区域只能通过某种特殊指令(前缀或其他方式)进行访问。 So if you're defending against normal code using 64-bit operand-size, there are no options that replace segment tricks with baseline x86-64. 因此,如果您使用64位操作数大小来防御普通代码,则没有选项可以用基准x86-64代替段技巧。 You'd have to map / unmap the shadow stack, which would be unusably slow. 您将不得不映射/取消映射阴影堆栈,这将非常缓慢。
There are several other technologies for enforcing / checking control flow these days. 目前,还有其他几种用于执行/检查控制流的技术。 Intel's CET (Control-flow Enforcement Technology) gives hardware support for various stuff, including a shadow stack. 英特尔的CET (控制流实施技术)为各种组件提供了硬件支持,包括影子堆栈。 Grsecurity published a review / critique of it . Grsecurity发布了对此的评论/评论 。 Their conclusion starts with " In summary, Intel's CET is mainly a hardware implementation of Microsoft's weak CFI implementation with the addition of a shadow stack ." 他们的结论始于“ 总而言之,英特尔的CET主要是Microsoft薄弱的CFI实现的硬件实现,并增加了影子堆栈 。” IDK if this review is accurate. IDK,如果此评论是准确的。 Grsecurity does produce a competing product (which they acknowledge), so there might be some bias. Grsecurity确实会生产竞争产品(他们承认),因此可能会有一些偏差。 I'm sure CET is better than nothing. 我敢肯定,英语六级考试总比没有好。
See also https://github.com/huku-/research/wiki/Intel-CPU-security-features for a list of x86 (or maybe specifically Intel) CPU features that assist security in general (like MPX bounds checking), not just control-flow. 另请参阅https://github.com/huku-/research/wiki/Intel-CPU-security-features ,以获取有助于一般性安全性(例如MPX边界检查)的x86(或专门针对Intel)CPU功能的列表只是控制流。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.