Conversation

Amazing, Android now has a shadow call stack using a dedicated register just like we suggested in our recent #Oakland19 "SoK Shining Light on Shadow Stacks" nebelwelt.net/publications/f (the Google work was independent of ours)

Quote Tweet

Sami Tolvanen

@samitolvanen

Oct 30, 2019

Google Online Security Blog: Protecting against code reuse in the Linux kernel with Shadow Call Stack security.googleblog.com/2019/10/protec via @google

Replying to

How the shadow stack is protected against attacker having arbitrary write primitive?

Replying to

and

Normally, it is not directly protected against arbitrary writes. The "protection" against it usually stems from information hiding due to randomization. However, it is still vulnerable to probing but which is more difficult than the normal information leak.

Replying to

and

ARMv8.5 memory tagging will be able to prevent access to data like this via pointers not directly created by the attacker. Memory tagging is primarily meant to directly detect memory corruption by approximating stronger memory safety but in doing so it can help other mitigations.

10:52 PM · Nov 5, 2019Twitter Web App

Replying to

If they have powerful / reliable exploit primitives, they can create a pointer with the correct tag and then access the shadow stack through it. It's still going to help out with making mitigations based on out-of-line data (allocator metadata, shadow stacks, etc.) a bit better.