Zipper Stack: Shadow Stacks Without Shadow
This addresses security vulnerabilities in return address protection for systems facing advanced threats, offering a novel defense with minimal performance impact.
The paper tackles the problem of protecting return addresses against powerful attackers with full memory control and knowledge of secret keys, presenting Zipper Stack, a lightweight mechanism that uses cryptographic MACs in a chain structure, achieving a performance overhead of only 1.86% in FPGA evaluation.
Return-Oriented Programming (ROP) is a typical attack technique that exploits return addresses to abuse existing code repeatedly. Most of the current return address protecting mechanisms (also known as the Backward-Edge Control-Flow Integrity) work only in limited threat models. For example, the attacker cannot break memory isolation, or the attacker has no knowledge of a secret key or random values. This paper presents a novel, lightweight mechanism protecting return addresses, Zipper Stack, which authenticates all return addresses by a chain structure using cryptographic message authentication codes (MACs). This innovative design can defend against the most powerful attackers who have full control over the program's memory and even know the secret key of the MAC function. This threat model is stronger than the one used in related work. At the same time, it produces low-performance overhead. We implemented Zipper Stack by extending the RISC-V instruction set architecture, and the evaluation on FPGA shows that the performance overhead of Zipper Stack is only 1.86%. Thus, we think Zipper Stack is suitable for actual deployment.