Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Microsoft Security IT Technology

Microsoft Announces New 'Hardware-Enforced Stack Protection' Feature (zdnet.com) 36

Microsoft announced today a new security feature for the Windows operating system. From a report: Named "Hardware-enforced Stack Protection," this feature allows applications to use the local CPU hardware to protect their code while running inside the CPU's memory. As the feature's name suggests, its primary role is to protect the (memory) stack -- where an app's code is stored during execution. "Hardware-enforced Stack Protection" works by enforcing strict management of the memory stack through the use of a combination between (1) modern CPU hardware and (2) shadow stacks. The term shadow stacks is a new one and refers to a copies of a program's intended execution flow (also referred to as the code's execution order). The new "Hardware-enforced Stack Protection" feature plans to use the hardware-based security features in modern CPUs to keep a copy of the app's shadow stack (intended code execution flow) in a hardware-secured environment.
This discussion has been archived. No new comments can be posted.

Microsoft Announces New 'Hardware-Enforced Stack Protection' Feature

Comments Filter:
  • Bullshit bingo (Score:5, Informative)

    by Joerg Sonnenberger ( 6186994 ) on Wednesday March 25, 2020 @03:26PM (#59871266)
    WTF is this article summary? It makes no sense. Application code hasn't been running on the stack for over a decade. Non-executable stack has been the default behavior of every sane operating system for ages. Does anyone care enough to provide a real summary, if the article actually has a valid point?
    • Re:Bullshit bingo (Score:4, Insightful)

      by pak9rabid ( 1011935 ) on Wednesday March 25, 2020 @03:31PM (#59871282)
      Seems more like a CYA thing for Intel to mask the fact their CPU's are horribly insecure.
    • Re:Bullshit bingo (Score:5, Insightful)

      by Athanasius ( 306480 ) <.gro.yggim. .ta. .todhsals.> on Wednesday March 25, 2020 @04:01PM (#59871382) Homepage
      I think what it's trying to stay is that as each function call is run it copies the current stack of return addresses to this 'shadow stack', and uses that when performing the return. Thus it doesn't matter if you've smashed the stack in that function call it will still be returning where it should rather than to an attacker-chosen memory location. The stack is never executable, but contains pointers to where execution will continue upon a return.
      • by gtall ( 79522 )

        You wouldn't have to save the entire stack then, would you? On function call, send the real return address to the protected blob.

        That doesn't answer how one actually does a return. Are there special return instructions for accessing the protected blob? I'm not familiar with Intel's architecture but the blurb seems to refer to any "modern" architecture.

        This sounds like something cooked up by the marketing dept.

        • Yeah it occurred to me shortly after posting that they literally only need to shadow the return addresses if this is what it's doing. I don't think there are any wrinkles with return values (they'd be set literally as part of the return, so no chance to be used for an overflow) or othersuch, but I'm no expert on the calling conventions.

          As for the actual return, given normally it would be returning by moving execution to the address held in a certain place in the stack, if some flag is on you just need t

        • Yes, CPUs have specific call and return ops, but Iâ(TM)d be worried about some more creative performance optimisations being broken by this. For example, Appleâ(TM)s obj-c runtime optimises out reference count increment and decrements that happen at function return by checking if thereâ(TM)s an increment at the return address and jumping straight from before the decrement to after the increment, and popping the stack. Doesnâ(TM)t seem like that kind of thing would be possible in this e

      • Yeah, it takes a lot of reading of both the summary and the ZDNet article to finally find out what's being announced. Basically it's the use of shadow stacks, something that's been around for awhile, and even has initial support in compilers like LLVM/Clang since 7.0. A shadow stack puts addresses on a different stack to protect them from being overwritten. There were some issues for the x64, mostly stack-use race conditions, but it's present for aarch64. Intel's CET makes it easier to deal with the rac

    • Re:Bullshit bingo (Score:5, Informative)

      by znrt ( 2424692 ) on Wednesday March 25, 2020 @04:32PM (#59871562)

      WTF is this article summary? It makes no sense. Application code hasn't been running on the stack for over a decade. Non-executable stack has been the default behavior of every sane operating system for ages. Does anyone care enough to provide a real summary, if the article actually has a valid point?

      it is explained well enough in the references provided in tfa: https://techcommunity.microsof... [microsoft.com]

      for more general info: https://en.wikipedia.org/wiki/... [wikipedia.org]

      sorry but it is hard to condense all this in a single sentence for you to grasp with minimal effort, beyond what is already expressed in the summary: protect the execution stack. if you can't bother to even skim-read those sources then you really don't need to know anything about these exploits and the mitigation that is intended by this.

    • Re:Bullshit bingo (Score:5, Informative)

      by tlhIngan ( 30335 ) <slashdot&worf,net> on Wednesday March 25, 2020 @04:43PM (#59871622)

      WTF is this article summary? It makes no sense. Application code hasn't been running on the stack for over a decade. Non-executable stack has been the default behavior of every sane operating system for ages. Does anyone care enough to provide a real summary, if the article actually has a valid point?

      It's not for applications, it's for improving application security. Against stack-smashing attacks.

      You see, the stack contains function return pointers that tell the CPU where execution should resume after a subroutine call. It used to be you could put in shellcode on the stack via a buffer and jump into it, but non-executable stacks block this. But since return pointers aren't executable, a new form of programming called Return-Oriented-Programming (ROP) has emerged. In this case, your shellcode consists of function pointers to subroutines, so the CPU is simply returning from a subroutine, it retrieves the return address and then jumps to that code. That code is usually the tail of some function which lets you set up the stack the way you want, then the next subroutine return will "call" the desired function and parameters.

      It's a bit tricky to set up, and requires a sufficiently complex application to have enough functionality to ensure turing completeness.

      Things like ASLR help against ROP because they randomize the target addresses, however if you can discover the address of a function in a library, you can use offsets from that to beat ASLR since a library is typicalloy loaded in one big blob. So the start address of the library may be unknown, but once discovered it is easy to figure out the rest.

      Using this means ROP is effectively dead - the shadow stack is basically the return address - when you do make a subroutine call, the PC is pushed to both the normal application stack, and the shadow stack. You can manipulate the application stack as much as you want - completely destroy it, if desired. When you return, though, the CPU will get the return address from the shadow stack instead of the application stack.

      The shadow stack is guarded and cannot be written to by the application, so you cannot actually manipulate the return address from the application.

      Presumably to increase security there is an additional CPU trap if the shadow stack return address and the application stack return address do not agree - which may be due to an application bug smashing its own stack rather than something malicious.

      • You do not need to smash the stack just escape the application. Interrupts, external events, errors, deadlocks, semaphores, overflows and remote calls are all ways to escape. You do your bit, return as as usual, but now you could have swiped tokens. The cure is non-defective cpus, but speed seems more important than security nowadays.
    • Iâ(TM)m not sure entirely, but I think itâ(TM)s talking about two things:

      1. Using the hardware to protect the stack memory the return address is stored in so that even if you can find a buffer overrun, and figure out where you want to jump to, you canâ(TM)t write the new return address.
      2. Keeping a salted hash of the return address in a random memory location, so that you can verify that the return address hasnâ(TM)t been overwritten. Iâ(TM)m guessing that the location the shadow copy g
    • by gweihir ( 88907 )

      WTF is this article summary? It makes no sense. Application code hasn't been running on the stack for over a decade. Non-executable stack has been the default behavior of every sane operating system for ages. Does anyone care enough to provide a real summary, if the article actually has a valid point?

      Indeed. What is also true is that protecting the stack against execution does not help nearly as much as some people think. For example, return-oriented programming is a away around it, and than there is the little fact that you do not always need code execution to do a successful attack. Just overwriting some neighboring variables on the stack or the heap can be quite enough.

  • by bobstreo ( 1320787 ) on Wednesday March 25, 2020 @03:26PM (#59871270)

    Please feel free to make your own acronyms.

  • this is trash (Score:1, Interesting)

    by SirAstral ( 1349985 )

    Look, I get it... you want "lazy" developers to find a way to run code in a safe environment... well guess what? This just creates a single point of failure and is a failure waiting to happen. Once this "feature" has been compromised nothing in it is safe.

    If security was taken seriously applications would build some security into their software... that way when it becomes compromised... (and it will) it can be updated to patch the hole. Fixing a HW failure/bug/vuln is whole different ballgame.

    We are lite

    • The huge problem I think is a social problem. Yes there always have been and always will be malcontents, but I think this is the most paranoid a society has ever been in human history. Yes, even more than a society under a Soviet, Nazi, or any other kind of fascist and totalitarian regime. People have been worked up into a huge frenzy over the past 40 or so years into believing that everybody else is out together, and there is a $2_LEGGED_MONSTER_TYPE hiding behind every bush. I never heard the term "play

    • by gweihir ( 88907 )

      Indeed. Redundancy (usually called defense-in-depth in secure software engineering) is the thing that all good engineering critically relies on.

  • by istartedi ( 132515 ) on Wednesday March 25, 2020 @04:30PM (#59871548) Journal

    Here's a link to a document from Intel [intel.com] that explains what's going on. Section 1.1 explains the shadow stack.

    My take-away is that there are attacks based on getting the CPU to jump back to something other than the valid return address. The shadow stack is a hardware-protected copy of the working stack. If the code attempts to return someplace other than where it was called from, an exception is raised.

    • Would not it just be simpler to write-protect the stack at the point where the call is placed and the PC pushed onto the stack? This would require only a VERY minor microcode update on the processor and would have nothing whatsoever to do with Microsoft ...

      • by MobyDisk ( 75490 )

        Because it is perfectly legal to modify variables on the stack:


        void main()
        {
              int x = 7; // On the stack
              change(&x);
        }

        void change(int *px)
        {
              *px = 5;
        }

  • All the major OSs have been doing stack protection since the turn of the century. Here is a description of BSD https://argp.github.io/2010/04... [github.io] and Linux https://link.springer.com/arti... [springer.com] while Windows had a stack canary system since 2003.

    This MS announcement is the latest feature, which requires new CPUs. So this is Intel one-upping AMD for a change.

  • Somebody is stealing my cookies. What I need is hardware-assisted snack protection.

Almost anything derogatory you could say about today's software design would be accurate. -- K.E. Iverson

Working...