Sciweavers

Share
CCS
2015
ACM

The Performance Cost of Shadow Stacks and Stack Canaries

3 years 10 months ago
The Performance Cost of Shadow Stacks and Stack Canaries
Control flow defenses against ROP either use strict, expensive, but strong protection against redirected RET instructions with shadow stacks, or much faster but weaker protections without. In this work we study the inherent overheads of shadow stack schemes. We find that the overhead is roughly 10% for a traditional shadow stack. We then design a new scheme, the parallel shadow stack, and show that its performance cost is significantly less: 3.5%. Our measurements suggest it will not be easy to improve performance on current x86 processors further, due to inherent costs associated with RET and memory load/store instructions. We conclude with a discussion of the design decisions in our shadow stack instrumentation, and possible lighter-weight alternatives. Categories and Subject Descriptors D.4.6 [Operating Systems]: Security and Protection General Terms shadow stack, stack canary, stack cookie
Thurston H. Y. Dang, Petros Maniatis, David Wagner
Added 17 Apr 2016
Updated 17 Apr 2016
Type Journal
Year 2015
Where CCS
Authors Thurston H. Y. Dang, Petros Maniatis, David Wagner
Comments (0)
books