LLVM merges SafeStack (opens in new tab)

(github.com)

267 pointstheraven10y ago79 comments

79 comments

ekr10y ago

Does this mean that it will no longer be possible to do things like return-oriented programming?

LE: indeed, it's quite clear from the mentioned article (http://dslab.epfl.ch/pubs/cpi.pdf). So this provides great exploit protection.

masklinn10y ago

According to https://github.com/Microsoft/clang/blob/master/docs/SafeStac... safestack alone doesn't fully protect against ROP:

> With SafeStack alone, an attacker can overwrite a function pointer on the heap or the unsafe stack and cause a program to call arbitrary location, which in turn might enable stack pivoting and return-oriented programming.

And you need additional features (such as CPI from the paper you and the commit message link to) for full protection.

1 more reply

tptacek10y ago

ROP is an exploit technique. Stack corruption is a class of vulnerabilities. There are other memory corruption techniques that can be exploited with ROP.

thisismyhaendel10y ago

It is NOT clear from that article. ROP can occur on the heap and CPI is bypassable (although safestack is a great contribution, and frankly it's about time). There is great literature on this issue already (see many forms of the Control Flow Integrity defense), and many solutions that exist come close to full security without providing it (CPI only protects code pointers, and side-channel attacks that work through data pointers can still achieve arbitrary memory reads and writes). In particular, use-after-free vulnerabilities still exist. Without full memory safety, exploits of these types will always be possible.

pvdebbe10y ago

What is return-oriented programming? Recursion?

moyix10y ago

Return-oriented programming is an exploit technique that relies on reusing snippets of existing code (called gadgets) in a program in order to carry out attacker code. Each gadget generally ends with a return instruction, which causes it to read the address of the next gadget off the stack and jump to it. In this way, arbitrarily complex code can be built up by chaining together sequences of gadgets controlled by an initial set of return addresses on the stack.

It's used as a way to defeat DEP (Data Execution Prevention); with DEP the attacker can no longer write code into memory and then execute it, so instead they just set up the stack cleverly so they can carry out a return-oriented payload (most commonly, these payloads just disable DEP and then move on to a more traditional second stage).

More info:

The paper that introduced the name ROP (though some would argue that the techniques existed before this paper): https://cseweb.ucsd.edu/~hovav/dist/geometry.pdf

Wikipedia: https://en.wikipedia.org/wiki/Return-oriented_programming

ekr10y ago

If you're interested in learning about exploit writing, you might want to check this page : https://www.corelan.be/index.php/articles/ .

garblegarble10y ago

It looks like it's an exploit technique where the stack is modified to set up malicious calls to functions: https://en.wikipedia.org/wiki/Return-oriented_programming

1 more reply

agumonkey10y ago

Accidentally downvoted you. My apologies.

VMG10y ago

If only there was a way to space those two tiny arrows further apart. Let's hope science comes up with a way some day..

1 more reply

viraptor10y ago

Upvoted for you.

thisismyhaendel10y ago

To be clear: SafeStack does NOT prevent return oriented programming. It makes the bar much higher, and it should be lauded for that. But please don't for a second think that this is a solved problem: ROP can occur on the heap, for instance. CPI as a system also does not completely solve the problem: it is possible to break, for example (http://web.mit.edu/ha22286/www/papers/conference/Oakland15.p... ) and despite the CPI author's conclusions, produces high overheads for programs with large amounts of code pointers (C++ programs with vtables are good examples). Also not prevented are attacks that use data pointers (non control-flow data attacks), an area that has seen little study.

thisismyhaendel10y ago

Also see papers like BlindROP: http://www.scs.stanford.edu/~sorbo/brop/bittau-brop.pdf and Sigreturn oriented programming: https://www.cs.vu.nl/~herbertb/papers/srop_sp14.pdf to get a little bit more of the idea of how complicated ROP can actually get.

VeejayRampay10y ago

From the article: "The overhead of our implementation of the safe stack is very close to zero (0.01% on the Phoronix benchmarks)". That's quite awesome, congratulations.

vanderZwan10y ago

Especially if you add the follow-up sentence:

"This is lower than the overhead of stack cookies, which are supported by LLVM and are commonly used today, yet the security guarantees of the safe stack are strictly stronger than stack cookies."

Win-win for everyone

joosters10y ago

The performance is impressive, considering that maintaining a second stack presumably requires another register exclusively dedicated to it. I'm surprised it makes such little difference. Or are there some cunning optimisations going on?

evanpw10y ago

I was wondering the same thing. The linked article (http://dslab.epfl.ch/pubs/cpi.pdf) says that they don't use a dedicated register. The unsafe stack pointer is saved in the thread control block, accessible through a segment register. From there, they let LLVM choose a register (not necessarily the same one for each function). They also say that only 25% of functions need any unsafe stack access at all, which I guess is why this is faster than using a dedicated register.

tomp10y ago

Essentially, what they are doing is allocating all unsafe objects (i.e. arrays and objects whose pointer is passed to another function) on a dedicated region of the heap (that they call the unsafe stack) that only keeps these objects, so all (de-)allocation happens in the LIFO order and can be implemented as a stack. As pointed out by evanpw, they keep a pointer to this region in the thread-local store.

sanxiyn10y ago

Safe stack gets a dedicated register, unsafe stack does not. Then the problem is to keep as much as possible on safe stack.

moyix10y ago

From the paper:

> This is because objects that end up being moved to the regular (unsafe) stack are usually large arrays or variables that are used through multiple stack frames. Moving such objects away from the safe stack increases the locality of frequently accessed values on the stack, such as CPU register values temporarily stored on the stack, return ad- dresses, and small local variables.

I wonder if this speedup effectively hides the performance overhead of SafeStack.

extropy10y ago

Why don't we have a CPU architecutre with two stacks - one for stack data and another for return addresses?

arielby10y ago

That's what SafeStack (and IA-64) do.

MichaelGG10y ago

Or write code in languages that, you know, don't encourage unwanted arbitrary code execution?

willvarfar10y ago

Apple, which has started distributing LLVM bitcode, will be able to apply it on all the new apps in the App Store transparently.

Google will be able to do likewise for NaCL apps.

coldtea10y ago

>Google will be able to do likewise for NaCL apps

All 5 of them?

TD-Linux10y ago

>Google will be able to do likewise for NaCL apps.

No they won't, because NaCl is native x86. Unless you mean PNaCl, which is a different technology with much less adoption than NaCl.

tptacek10y ago

Should Google bother? The point of NaCL apps is that memory corruption flaws in them aren't supposed to matter.

willvarfar10y ago

Well bother business-wise? I mostly included them for completeness. I'm a bit fan of PNaCL but its not really taken off.

So technically bother, then? NaCL programs are just as susceptible to buffer-overflow as conventional programs, its just they are better sandboxed. Exploit mitigation is a belt-and-braces thing, and I can't see why Google wouldn't be enabling this pass right now as we speak.

You have something compiled in NaCL like the Flash plugin and it can control the camera and stuff and you are hoping that an attacker can't feed it some malformed JPEG or something that makes it use the caps it has in a bad way etc.

Here's the only thread I could dig up on buffer overflows in NaCL: http://permalink.gmane.org/gmane.comp.security.nativeclient....

1 more reply

minthd10y ago

>>Google will be able to do likewise for NaCL apps.

They might be able to apply that over all of android - and that will automatically apply over java based apps.From there it's just a matter of incentives, to rapidly create change in rest of the apps.

higherpurpose10y ago

Apple is making its apps LLVM-based now? Doesn't that mean they could soon push for ARM CPUs in Mac OS, too?

masklinn10y ago

Or, the other way around, for x86_64 in mobile devices.

Now they already can, technically (via fat binaries, they've already been through multiple architectural transitions), the interesting part is they could now go through these transitions without developers having to be involved.

Alphasite_10y ago

No, bit odd is too low level for this and I believe it's only used for iOS apps ATM.

crucialfelix10y ago

yes. developers will be able to submit apps as LLVM Bitcode which means that Apple can switch to ARM for some new device and recompile the app without the developer having to resubmit it.

It also means the end of Universal binaries as Apple can thin the compiled app for each target device.

the PPC switch over was painful, as was the 32 versus 64 bit era. They want to avoid that in the future.

2 more replies

willvarfar10y ago

It means exactly that.

Here's a nice article describing it:

> This means that apps can automatically “take advantage of new processor capabilities we might be adding in the future, without you re-submitting to the store.”

http://thenextweb.com/apple/2015/06/17/apples-biggest-develo...

1 more reply

hughw10y ago

It never occurred to me before to ask, but aren't Emscripten asm.js programs vulnerable to the same exploits C programs are? e.g. I could exploit a buffer overflow in some trusted js code to get some sensitive information from the site. If that's the case, would emcc with SafeStack mitigate that?

comex10y ago

Interesting. I haven't fully digested the paper, but a few notes for context:

- Most real-world exploits these days are based on use-after-frees, heap buffer overflows, and other heap-related weirdness, rather than stack buffer overflows. It's nice that SafeStack mitigates that attack vector though (but if you disable stack canaries in favor of it, you actually reopen the door to exploit certain types of vulnerabilities...)

- A (the most?) common method to proceed from memory corruption to return-oriented programming is to redirect a virtual method call or other indirect jump to a stack pivot instruction. SafeStack alone does nothing to prevent this, so it doesn't prevent ROP.

- However, the general code-pointer indirection mechanisms described in the paper, of which SafeStack is an important component, could make ROP significantly harder, because you would only be able to jump to the starts of functions. This guarantee is similar to Windows's CFG (although the implementation is different), but SafeStack makes it harder to bypass by finding a pointer into the stack (either on the heap or via gadget).

- In practice, interoperation with unprotected OS libraries is likely to seriously compromise the security benefits of the combined scheme, because they will store pointers into the real stack, jump directly to code pointers on the heap, etc. JIT compilers are also likely to be problematic.

- In addition, there are more direct ways for an attacker to work around the protection, such as using as gadgets starts of functions that do some small operation and then proceed to a virtual call on an argument. The larger the application, the more possibilities for bypass there are.

- Still, "harder" is pretty good.

Edit: By the way, the point about function start gadgets makes questionable the paper's claim that "CPI guarantees the impossibility of any control-flow hijack attack based on memory corruptions." Also, if you want to guarantee rsp isn't leaked, it isn't enough to keep all pointers near it out of regular memory: they also have to be kept out of the stack itself, because functions with many (or variable) arguments will read them from the stack - at least, I don't see a claim in the paper about moving them - so subverting an indirect call to go to a function that takes more arguments than actually provided (or just changing a printf format string to have a lot of arguments) will cause whatever data's on the stack to be treated as arguments. Ditto registers that either can be used for arguments or are callee-saved. That means frame pointers have to be disabled or munged, and any cases where LLVM automatically generates temporary pointers for stack stores - which I've seen it do before - have to be addressed.

If you do move non-register arguments to the safe stack then the situation is improved, but you still have to watch out for temporaries left in argument registers.

arielby10y ago

SafeStack is essentially an IA-64/SPARC-style two-stack model - there are no pointers to the %rsp stack.

comex10y ago

The issue is preventing pointers to the real stack on the real stack. I'm pretty sure you can't do that reliably at the LLVM IR level, since as I said such pointers can be introduced during code generation. In fact, I just looked at the source to the merged pass, and it doesn't even try - it only checks if stack pointers are passed to calls, but e.g.

    int *p = cond ? &a : &b;

    ...later enough that this isn't trivially optimized into two stores...

    *p = 1;

will probably not be flagged (it depends on what optimization passes have run before the SafeStack pass), but will put the pointer in the stack or a register that may be saved.

wang_li10y ago

Now if we can get the stack to grow upwards instead of downwards my life will be complete and I can die.

arielby10y ago

IA-64 had this since it was created - nice to see it coming to x86.

j / k navigate · click thread line to collapse

79 comments

ekr10y ago

Does this mean that it will no longer be possible to do things like return-oriented programming?

LE: indeed, it's quite clear from the mentioned article (http://dslab.epfl.ch/pubs/cpi.pdf). So this provides great exploit protection.

masklinn10y ago

According to https://github.com/Microsoft/clang/blob/master/docs/SafeStac... safestack alone doesn't fully protect against ROP:

And you need additional features (such as CPI from the paper you and the commit message link to) for full protection.

1 more reply

tptacek10y ago

ROP is an exploit technique. Stack corruption is a class of vulnerabilities. There are other memory corruption techniques that can be exploited with ROP.

thisismyhaendel10y ago

pvdebbe10y ago

What is return-oriented programming? Recursion?

moyix10y ago

More info:

The paper that introduced the name ROP (though some would argue that the techniques existed before this paper): https://cseweb.ucsd.edu/~hovav/dist/geometry.pdf

Wikipedia: https://en.wikipedia.org/wiki/Return-oriented_programming

ekr10y ago

If you're interested in learning about exploit writing, you might want to check this page : https://www.corelan.be/index.php/articles/ .

garblegarble10y ago

It looks like it's an exploit technique where the stack is modified to set up malicious calls to functions: https://en.wikipedia.org/wiki/Return-oriented_programming

1 more reply

agumonkey10y ago

Accidentally downvoted you. My apologies.

VMG10y ago

If only there was a way to space those two tiny arrows further apart. Let's hope science comes up with a way some day..

1 more reply

viraptor10y ago

Upvoted for you.

thisismyhaendel10y ago

VeejayRampay10y ago

From the article: "The overhead of our implementation of the safe stack is very close to zero (0.01% on the Phoronix benchmarks)". That's quite awesome, congratulations.

vanderZwan10y ago

Especially if you add the follow-up sentence:

"This is lower than the overhead of stack cookies, which are supported by LLVM and are commonly used today, yet the security guarantees of the safe stack are strictly stronger than stack cookies."

Win-win for everyone

joosters10y ago

evanpw10y ago

tomp10y ago

sanxiyn10y ago

Safe stack gets a dedicated register, unsafe stack does not. Then the problem is to keep as much as possible on safe stack.

moyix10y ago

From the paper:

I wonder if this speedup effectively hides the performance overhead of SafeStack.

extropy10y ago

Why don't we have a CPU architecutre with two stacks - one for stack data and another for return addresses?

arielby10y ago

That's what SafeStack (and IA-64) do.

MichaelGG10y ago

Or write code in languages that, you know, don't encourage unwanted arbitrary code execution?

willvarfar10y ago

Apple, which has started distributing LLVM bitcode, will be able to apply it on all the new apps in the App Store transparently.

Google will be able to do likewise for NaCL apps.

coldtea10y ago

>Google will be able to do likewise for NaCL apps

All 5 of them?

TD-Linux10y ago

>Google will be able to do likewise for NaCL apps.

No they won't, because NaCl is native x86. Unless you mean PNaCl, which is a different technology with much less adoption than NaCl.

tptacek10y ago

Should Google bother? The point of NaCL apps is that memory corruption flaws in them aren't supposed to matter.

willvarfar10y ago

Well bother business-wise? I mostly included them for completeness. I'm a bit fan of PNaCL but its not really taken off.

Here's the only thread I could dig up on buffer overflows in NaCL: http://permalink.gmane.org/gmane.comp.security.nativeclient....

1 more reply

minthd10y ago

>>Google will be able to do likewise for NaCL apps.

higherpurpose10y ago

Apple is making its apps LLVM-based now? Doesn't that mean they could soon push for ARM CPUs in Mac OS, too?

masklinn10y ago

Or, the other way around, for x86_64 in mobile devices.

Alphasite_10y ago

No, bit odd is too low level for this and I believe it's only used for iOS apps ATM.

crucialfelix10y ago

yes. developers will be able to submit apps as LLVM Bitcode which means that Apple can switch to ARM for some new device and recompile the app without the developer having to resubmit it.

It also means the end of Universal binaries as Apple can thin the compiled app for each target device.

the PPC switch over was painful, as was the 32 versus 64 bit era. They want to avoid that in the future.

2 more replies

willvarfar10y ago

It means exactly that.

Here's a nice article describing it:

> This means that apps can automatically “take advantage of new processor capabilities we might be adding in the future, without you re-submitting to the store.”

http://thenextweb.com/apple/2015/06/17/apples-biggest-develo...

1 more reply

hughw10y ago

comex10y ago

Interesting. I haven't fully digested the paper, but a few notes for context:

- Still, "harder" is pretty good.

If you do move non-register arguments to the safe stack then the situation is improved, but you still have to watch out for temporaries left in argument registers.

arielby10y ago

SafeStack is essentially an IA-64/SPARC-style two-stack model - there are no pointers to the %rsp stack.

comex10y ago

    int *p = cond ? &a : &b;

    ...later enough that this isn't trivially optimized into two stores...

    *p = 1;

will probably not be flagged (it depends on what optimization passes have run before the SafeStack pass), but will put the pointer in the stack or a register that may be saved.

wang_li10y ago

Now if we can get the stack to grow upwards instead of downwards my life will be complete and I can die.

arielby10y ago

IA-64 had this since it was created - nice to see it coming to x86.

j / k navigate · click thread line to collapse