| Peter Collingbourne | c4122c1 | 2015-06-15 21:08:13 +0000 | [diff] [blame] | 1 | ========= |
| 2 | SafeStack |
| 3 | ========= |
| 4 | |
| 5 | .. contents:: |
| 6 | :local: |
| 7 | |
| 8 | Introduction |
| 9 | ============ |
| 10 | |
| 11 | SafeStack is an instrumentation pass that protects programs against attacks |
| 12 | based on stack buffer overflows, without introducing any measurable performance |
| 13 | overhead. It works by separating the program stack into two distinct regions: |
| 14 | the safe stack and the unsafe stack. The safe stack stores return addresses, |
| 15 | register spills, and local variables that are always accessed in a safe way, |
| 16 | while the unsafe stack stores everything else. This separation ensures that |
| 17 | buffer overflows on the unsafe stack cannot be used to overwrite anything |
| 18 | on the safe stack, which includes return addresses. |
| 19 | |
| 20 | Performance |
| 21 | ----------- |
| 22 | |
| 23 | The performance overhead of the SafeStack instrumentation is less than 0.1% on |
| 24 | average across a variety of benchmarks (see the `Code-Pointer Integrity |
| 25 | <http://dslab.epfl.ch/pubs/cpi.pdf>`_ paper for details). This is mainly |
| 26 | because most small functions do not have any variables that require the unsafe |
| 27 | stack and, hence, do not need unsafe stack frames to be created. The cost of |
| 28 | creating unsafe stack frames for large functions is amortized by the cost of |
| 29 | executing the function. |
| 30 | |
| 31 | In some cases, SafeStack actually improves the performance. Objects that end up |
| 32 | being moved to the unsafe stack are usually large arrays or variables that are |
| 33 | used through multiple stack frames. Moving such objects away from the safe |
| 34 | stack increases the locality of frequently accessed values on the stack, such |
| 35 | as register spills, return addresses, and small local variables. |
| 36 | |
| 37 | Limitations |
| 38 | ----------- |
| 39 | |
| 40 | SafeStack has not been subjected to a comprehensive security review, and there |
| 41 | exist known weaknesses, including but not limited to the following. |
| 42 | |
| 43 | In its current state, the separation of local variables provides protection |
| 44 | against stack buffer overflows, but the safe stack itself is not protected |
| 45 | from being corrupted through a pointer dereference. The Code-Pointer |
| 46 | Integrity paper describes two ways in which we may protect the safe stack: |
| 47 | hardware segmentation on the 32-bit x86 architecture or information hiding |
| 48 | on other architectures. |
| 49 | |
| 50 | Even with information hiding, the safe stack would merely be hidden |
| 51 | from attackers by being somewhere in the address space. Depending on the |
| 52 | application, the address could be predictable even on 64-bit address spaces |
| 53 | because not all the bits are addressable, multiple threads each have their |
| 54 | stack, the application could leak the safe stack address to memory via |
| 55 | ``__builtin_frame_address``, bugs in the low-level runtime support etc. |
| 56 | Safe stack leaks could be mitigated by writing and deploying a static binary |
| 57 | analysis or a dynamic binary instrumentation based tool to find leaks. |
| 58 | |
| 59 | This approach doesn't prevent an attacker from "imbalancing" the safe |
| 60 | stack by say having just one call, and doing two rets (thereby returning |
| 61 | to an address that wasn't meant as a return address). This can be at least |
| 62 | partially mitigated by deploying SafeStack alongside a forward control-flow |
| 63 | integrity mechanism to ensure that calls are made using the correct calling |
| 64 | convention. Clang does not currently implement a comprehensive forward |
| 65 | control-flow integrity protection scheme; there exists one that protects |
| 66 | :doc:`virtual calls <ControlFlowIntegrity>` but not non-virtual indirect calls. |
| 67 | |
| 68 | Compatibility |
| 69 | ------------- |
| 70 | |
| 71 | Most programs, static libraries, or individual files can be compiled |
| 72 | with SafeStack as is. SafeStack requires basic runtime support, which, on most |
| 73 | platforms, is implemented as a compiler-rt library that is automatically linked |
| 74 | in when the program is compiled with SafeStack. |
| 75 | |
| 76 | Linking a DSO with SafeStack is not currently supported. |
| 77 | |
| 78 | Known compatibility limitations |
| 79 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 80 | |
| 81 | Certain code that relies on low-level stack manipulations requires adaption to |
| 82 | work with SafeStack. One example is mark-and-sweep garbage collection |
| 83 | implementations for C/C++ (e.g., Oilpan in chromium/blink), which must be |
| 84 | changed to look for the live pointers on both safe and unsafe stacks. |
| 85 | |
| 86 | SafeStack supports linking together modules that are compiled with and without |
| 87 | SafeStack, both statically and dynamically. One corner case that is not |
| 88 | supported is using ``dlopen()`` to load a dynamic library that uses SafeStack into |
| 89 | a program that is not compiled with SafeStack but uses threads. |
| 90 | |
| 91 | Signal handlers that use ``sigaltstack()`` must not use the unsafe stack (see |
| 92 | ``__attribute__((no_sanitize("safe-stack")))`` below). |
| 93 | |
| 94 | Programs that use APIs from ``ucontext.h`` are not supported yet. |
| 95 | |
| 96 | Usage |
| 97 | ===== |
| 98 | |
| 99 | To enable SafeStack, just pass ``-fsanitize=safe-stack`` flag to both compile and link |
| 100 | command lines. |
| 101 | |
| 102 | Supported Platforms |
| 103 | ------------------- |
| 104 | |
| 105 | SafeStack was tested on Linux, FreeBSD and MacOSX. |
| 106 | |
| 107 | Low-level API |
| 108 | ------------- |
| 109 | |
| 110 | ``__has_feature(safe_stack)`` |
| 111 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 112 | |
| 113 | In some rare cases one may need to execute different code depending on |
| 114 | whether SafeStack is enabled. The macro ``__has_feature(safe_stack)`` can |
| 115 | be used for this purpose. |
| 116 | |
| 117 | .. code-block:: c |
| 118 | |
| 119 | #if __has_feature(safe_stack) |
| 120 | // code that builds only under SafeStack |
| 121 | #endif |
| 122 | |
| 123 | ``__attribute__((no_sanitize("safe-stack")))`` |
| 124 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 125 | |
| 126 | Use ``__attribute__((no_sanitize("safe-stack")))`` on a function declaration |
| 127 | to specify that the safe stack instrumentation should not be applied to that |
| 128 | function, even if enabled globally (see ``-fsanitize=safe-stack`` flag). This |
| 129 | attribute may be required for functions that make assumptions about the |
| 130 | exact layout of their stack frames. |
| 131 | |
| 132 | Care should be taken when using this attribute. The return address is not |
| 133 | protected against stack buffer overflows, and it is easier to leak the |
| 134 | address of the safe stack to memory by taking the address of a local variable. |
| 135 | |
| 136 | |
| 137 | ``__builtin___get_unsafe_stack_ptr()`` |
| 138 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 139 | |
| 140 | This builtin function returns current unsafe stack pointer of the current |
| 141 | thread. |
| 142 | |
| 143 | ``__builtin___get_unsafe_stack_start()`` |
| 144 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 145 | |
| 146 | This builtin function returns a pointer to the start of the unsafe stack of the |
| 147 | current thread. |
| 148 | |
| 149 | Design |
| 150 | ====== |
| 151 | |
| 152 | Please refer to |
| 153 | `http://dslab.epfl.ch/proj/cpi/ <http://dslab.epfl.ch/proj/cpi/>`_ for more |
| 154 | information about the design of the SafeStack and its related technologies. |
| 155 | |
| 156 | |
| 157 | Publications |
| 158 | ------------ |
| 159 | |
| 160 | `Code-Pointer Integrity <http://dslab.epfl.ch/pubs/cpi.pdf>`_. |
| 161 | Volodymyr Kuznetsov, Laszlo Szekeres, Mathias Payer, George Candea, R. Sekar, Dawn Song. |
| 162 | USENIX Symposium on Operating Systems Design and Implementation |
| 163 | (`OSDI <https://www.usenix.org/conference/osdi14>`_), Broomfield, CO, October 2014 |