A Leak-Resilient Dual Stack Scheme for Backward-Edge Control-Flow Integrity

Manipulations of return addresses on the stack are the basis for a variety of attacks on programs written in memory unsafe languages. Dual stack schemes for protecting return addresses promise an efficient and effective defense against such attacks. By introducing a second, safe stack to separate return addresses from potentially unsafe stack objects, they prevent attacks that, for example, maliciously modify a return address by overflowing a buffer. However, the security of dual stacks is based on the concealment of the safe stack in memory. Unfortunately, all current dual stack schemes are vulnerable to information disclosure attacks that are able to reveal the safe stack location, and therefore effectively break their promised security properties. In this paper, we present a new, leak-resilient dual stack scheme capable of withstanding sophisticated information disclosure attacks. We carefully study previous dual stack schemes and systematically develop a novel design for stack separation that eliminates flaws leading to the disclosure of safe stacks. We show the feasibility and practicality of our approach by presenting a full integration into the LLVM compiler framework with support for the x86-64 and ARM64 architectures. With an average of 2.7% on x86-64 and 0.0% on ARM64, the performance overhead of our implementation is negligible.