PACSTack: 一个经认证的呼叫堆栈 (PACStack: an Authenticated Call Stack)

A popular run-time attack technique is to compromise the control-flow integrity of a program by modifying function return addresses on the stack. So far, shadow stacks have proven to be essential for comprehensively preventing return address manipulation. Shadow stacks record return addresses in integrity-protected memory secured with hardware-assistance or software access control. Software shadow stacks incur high overheads or trade off security for efficiency. Hardware-assisted shadow stacks are efficient and secure, but require the deployment of special-purpose hardware. We present authenticated call stack (ACS), an approach that uses chained message authentication codes (MACs). Our prototype, PACStack, uses the ARM general purpose hardware mechanism for pointer authentication (PA) to implement ACS. Via a rigorous security analysis, we show that PACStack achieves security comparable to hardware-assisted shadow stacks without requiring dedicated hardware. We demonstrate that PACStack's performance overhead is small (~3%).

翻译：流行的运行时间攻击技术是通过修改堆叠的功能返回地址来损害一个程序的控制流完整性。到目前为止, 影子堆叠已证明是全面防止回收地址操纵的关键。阴影堆叠记录了以硬件援助或软件访问控制方式保护的完整记忆中的返回地址。软件的影子堆叠产生高额间接费用或交换安全效率。硬件辅助的影子堆叠是高效和安全的, 但需要部署特殊用途的硬件。我们展示了经认证的调用堆叠( ACS ), 这是一种使用链条信息认证代码的方法。我们的原型 PACSTack 使用ARM通用硬件机制进行指针认证( PA) 。我们通过严格的安全分析显示, PACSTack 在不需要专用硬件的情况下实现了与硬件辅助的影子堆叠相当的安全。我们证明 PACSTack 的性能管理费用很小( ~ 3% ) 。