Playing around with clang's shadow stack support. It was removed in clang-9 for x86_64, and even before that AFAIK there was no runtime support to actually set up the shadow stack & gs register. But with clang-8 you can try it out by using a constructor:
Conversation
Replying to
arm64 implementation is shipped for the Pixel kernels and it was landed in the upstream Linux kernel. It runs fine in arm64 QEMU/KVM too. MTE also works in QEMU/KVM which is how we intend to develop hardened_malloc support ideally in the next few months as prep for ARMv9 devices.
1
2
It's really easy to use the arm64 SCS support in QEMU/KVM though. I don't think there's currently anything missing to block simply turning it on and having it booting with everything working for recent kernel versions.
1
2
Replying to
Neat! Do you know if there's any more detail on what went wrong with the x86_64 port? The documentation is a bit vague ("was evaluated using Chromium and was found to have critical performance and security deficiencies")
1
1
Replying to
x86 doesn't have a link register so there's a race between the check and the return. It could have been addressed within the kernel by making stack mappings thread local. Much harder to do for userspace especially since the disappointing MPK feature doesn't have enough keys.
Perhaps it wouldn't have been removed from Clang if the focus had been the Linux kernel instead of Chromium, or if Android cared one bit about x86 but that's near irrelevant at this point and unlikely to ever be relevant again beyond perhaps Microsoft caring about it.
1
1
x86 also has CET starting to show up now. I think hardware shadow stack support being on the horizon killed the interest in making a better implementation.
It'll be possible to enhance ShadowCallStack on arm64 with ARMv9 MTE though (ARMv8.5 MTE never shipped in hardware AFAIK).
1
Replying to
Hmm, what's the attack scenario for exploiting that race? Perhaps naively it seems like if you have enough control to jump in and change the ret addr between check & ret, you're past the point where ShadowStack would help anyway?
1
Replying to
It was meant to be part of the threat model and there was real world exploitation of those vulnerabilities such as the stack exhaustion (stack clash) race exploitation. I don't fully understand why they removed it. Without Chromium interested in moving it forward it was removed.
2
1
Show replies