What Register Is Return Address Stored

Next: Performance Effects Up: Implementation Previous: Encrypted Stack Frame

Return-Address Stack

The pinnacle incarnation of StackGhost would implement what processor architects call a ``return-address stack''. To improve unconditional branch prediction, mod processors proceed a FIFO stack in silicon of the render addresses of function calls [15,11,3]. Every time a Telephone call instruction is executed, its return address is pushed onto the stack. Every fourth dimension a Render instruction enters the pipeline, the adjacent accost is popped off the stack and the processor continues fetching from the associated address seamlessly. A few cycles later, the real return address volition be established and the processor can recover from a misprediction if need exist.

We shall depict the theory developed to appointment. Our pattern criteria are as follows:

1. The machinery must pause no standard or mutual software.
2. The machinery must guarantee the detection of a smashed stack.
3. The mechanism must kill any process with a corrupt stack.
4. The mechanism must take negligible memory utilization.
5. The machinery must exist implementable and debugable.

An obvious offset approach might be to build in a return-accost stack every bit a FIFO queue but as is done in hardware. Unfortunately, something then simple would interruption userland threading, setjmp() and longjmp(), and perhaps C++ exceptions. Setjmp(), longjmp() and C++ exceptions introduce the trouble that multiple return addresses can be bypassed by a deep multi-level return. This can be solved past scanning the unabridged stack until the return address tin can be located. Userland threading introduces a similar state of affairs. When a thread relinquishes the processor to a sibling thread, it switches to a seperate stack. The 2d thread may exist at the apex of a deep calling sequence and start returning. Again the queue will be out of order instead of FIFO and may have to be walked for every return. Performance will be sacrificed. If a thread is terminated or a programme longjmp()'s, queue entries will reference stale stack frames and persist until the procedure terminates.

A more refined approach to designing a render-address stack is to add together a small hash table in the PCB. Every fourth dimension a annals window needs to be cleansed, the machinery would add together an entry into the hash table (indexed off the base address of the stack frame). And and then store the base accost to utilize equally the comparison tag, the render pointer, and a random 32-chip number. In the identify of the return address in the stack frame, information technology would identify a re-create of the random number. When StackGhost retrieves the stack frame to refill the annals window, it can compare the random number on the stack with its image in the hash table. If the instances exercise not match, an exploit has occurred and the program must be aborted. Otherwise, StackGhost fills the register return address with the one stored in the hash table.

A return-address hash table alleviates the operation problems associated with userland threading just does not accost the memory leak associated with setjmp and longjmp or a terminated thread. Fortunately, setjmp and longjmp are both assisted by the kernel as a arrangement call. Upon receiving the longjmp syscall, the kernel tin walk backwards through the stack until the setjmp location is found, removing the hash entries along the mode. An indirect benefit of walking the stack is that it besides helps secure the jmpbuf (setjmp storage buffer).

For operating systems other than OpenBSD that support symmetric multiprocessing on Sparc and with kernel managed threads, common exclusion would have to exist guaranteed at some level on the hash tabular array. A locking primitive per window overflow and underflow handler invocation may prove prohibitivly expensive.

Further testing in a conscientious multi-user environment would be needed.

---

Next: Performance Furnishings Up: Implementation Previous: Encrypted Stack Frame

2001-05-12

Source: https://projects.cerias.purdue.edu/stackghost/stackghost/node11.html

Posted by: matapeng1987.blogspot.com

Share this post