On an example Windows 10 22H2 workstation, it's enabled in roughly 40% of processes. Microsoft has been slowly rolling it out, even among their own processes. It will take years for the majority of CPUs to support HSP. HSP requires at least an 11th-gen Intel or 5000-series Ryzen CPU, both released in late 2020. Frames missed by other techniques are in green: ShadowStackWalk doesn't care about forged stack frames. ShadowStackWalk is unaffected by intentional breaks of the call stack such as ThreadStackSpoofer. When the stack is normal, ShadowStackWalk functions similarly to CaptureStackBackTrace and StackWalk64: We present ShadowStackWalk, a PoC that implements CaptureStackBackTrace/StackWalk64 using the shadow stack to catch thread stack spoofing. StackWalk64) and inline stack traces like Sysmon Open Process events.īy comparing a traditional stack walk against its shadowy sibling, we can both detect and bypass thread stack spoofing. Adversaries can use techniques demonstrated in ThreadStackSpoofer and CallStackSpoofer to obfuscate their presence against thread stack scans (e.g. The shadow stack provides an interesting detection opportunity. Given that the entire shadow stack likely resides on a single page and no unwinding is required, shadow stack walking is probably more performant than traditional stack walking, though this has yet to be proven. You can see the traverse/unwind process approximated here in ReactOS, sans cache. These lookups were slow enough that Microsoft saw fit to construct a multi-tier cache system when they added 圆4 support. On 圆4 platforms, a stack walk entails capturing the thread’s context, then looking up a data structure for each frame that enables the walker to "unwind" it and find the next frame. Kernel mode components such as EDR and ETW often capture stack traces to provide additional context to each event. Note how the two stack traces are identical except for the first frame: dps resolves all symbols it can find, starting at SSP - this is essentially a shadow stack trace. The k command displays a regular stack trace. It's also useful in situations where the stack unwind data is unavailable.įor example, see the WinDbg output below for a process memory dump. This can be very useful when debugging stack corruption bugs that overwrite return addresses, because the shadow stack is independent. Modern versions of WinDbg will display a hint to the user that they can use SSP as an alternate way to recover a stack trace. DebuggingĪlthough designed as an exploit mitigation, HSP provides useful data for other purposes. Today we’re going to discuss three additional benefits that HSP brings, beyond the intended exploit mitigation capability, then go into some limitations. In theory, ROP attacks are mitigated because attackers can't write arbitrary values to the read-only shadow stack, and changing the Shadow Stack Pointer (SSP) is a privileged operation, making pivots impossible. Conversely, RET instructions pop the return address from both stacks, generating an exception if they mismatch. Whenever a CALL instruction executes, the current instruction pointer (aka return address) is pushed onto both the regular and shadow stacks. Contrast this with the regular stack, which interleaves data with return addresses, and must be writable for applications to function correctly. It is read-only in user mode, and consists exclusively of return addresses. HSP creates a shadow stack, separate from the regular stack. Note that the terms HSP and CET are often used interchangeably. Backed by silicon, HSP uses Intel's Control flow Enforcement Technology (CET) and AMD's Shadow Stack, combined with software support described in great detail by Yarden Shafir and Alex Ionescu. HSP is an exploit mitigation technology that prevents corruption of return addresses on the stack, a common component of code reuse attacks for software exploitation. Microsoft has begun rolling out user-mode Hardware Stack Protection (HSP) starting in Windows 10 20H1.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |