docs/SafeStack.rst - llvm-project/clang - Git at Google

 =========
 SafeStack
 =========

 .. contents::
    :local:

 Introduction
 ============

 SafeStack is an instrumentation pass that protects programs against attacks
 based on stack buffer overflows, without introducing any measurable performance
 overhead. It works by separating the program stack into two distinct regions:
 the safe stack and the unsafe stack. The safe stack stores return addresses,
 register spills, and local variables that are always accessed in a safe way,
 while the unsafe stack stores everything else. This separation ensures that
 buffer overflows on the unsafe stack cannot be used to overwrite anything
 on the safe stack.

 SafeStack is a part of the `Code-Pointer Integrity (CPI) Project
 <https://dslab.epfl.ch/proj/cpi/>`_.

 Performance
 -----------

 The performance overhead of the SafeStack instrumentation is less than 0.1% on
 average across a variety of benchmarks (see the `Code-Pointer Integrity
 <https://dslab.epfl.ch/pubs/cpi.pdf>`__ paper for details). This is mainly
 because most small functions do not have any variables that require the unsafe
 stack and, hence, do not need unsafe stack frames to be created. The cost of
 creating unsafe stack frames for large functions is amortized by the cost of
 executing the function.

 In some cases, SafeStack actually improves the performance. Objects that end up
 being moved to the unsafe stack are usually large arrays or variables that are
 used through multiple stack frames. Moving such objects away from the safe
 stack increases the locality of frequently accessed values on the stack, such
 as register spills, return addresses, and small local variables.

 Compatibility
 -------------

 Most programs, static libraries, or individual files can be compiled
 with SafeStack as is. SafeStack requires basic runtime support, which, on most
 platforms, is implemented as a compiler-rt library that is automatically linked
 in when the program is compiled with SafeStack.

 Linking a DSO with SafeStack is not currently supported.

 Known compatibility limitations
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 Certain code that relies on low-level stack manipulations requires adaption to
 work with SafeStack. One example is mark-and-sweep garbage collection
 implementations for C/C++ (e.g., Oilpan in chromium/blink), which must be
 changed to look for the live pointers on both safe and unsafe stacks.

 SafeStack supports linking statically modules that are compiled with and
 without SafeStack. An executable compiled with SafeStack can load dynamic
 libraries that are not compiled with SafeStack. At the moment, compiling
 dynamic libraries with SafeStack is not supported.

 Signal handlers that use ``sigaltstack()`` must not use the unsafe stack (see
 ``__attribute__((no_sanitize("safe-stack")))`` below).

 Programs that use APIs from ``ucontext.h`` are not supported yet.

 Security
 --------

 SafeStack protects return addresses, spilled registers and local variables that
 are always accessed in a safe way by separating them in a dedicated safe stack
 region. The safe stack is automatically protected against stack-based buffer
 overflows, since it is disjoint from the unsafe stack in memory, and it itself
 is always accessed in a safe way. In the current implementation, the safe stack
 is protected against arbitrary memory write vulnerabilities though
 randomization and information hiding: the safe stack is allocated at a random
 address and the instrumentation ensures that no pointers to the safe stack are
 ever stored outside of the safe stack itself (see limitations below).

 Known security limitations
 ~~~~~~~~~~~~~~~~~~~~~~~~~~

 A complete protection against control-flow hijack attacks requires combining
 SafeStack with another mechanism that enforces the integrity of code pointers
 that are stored on the heap or the unsafe stack, such as `CPI
 <https://dslab.epfl.ch/proj/cpi/>`_, or a forward-edge control flow integrity
 mechanism that enforces correct calling conventions at indirect call sites,
 such as `IFCC <https://research.google.com/pubs/archive/42808.pdf>`_ with arity
 checks. Clang has control-flow integrity protection scheme for :doc:`C++ virtual
 calls <ControlFlowIntegrity>`, but not non-virtual indirect calls. With
 SafeStack alone, an attacker can overwrite a function pointer on the heap or
 the unsafe stack and cause a program to call arbitrary location, which in turn
 might enable stack pivoting and return-oriented programming.

 In its current implementation, SafeStack provides precise protection against
 stack-based buffer overflows, but protection against arbitrary memory write
 vulnerabilities is probabilistic and relies on randomization and information
 hiding. The randomization is currently based on system-enforced ASLR and shares
 its known security limitations. The safe stack pointer hiding is not perfect
 yet either: system library functions such as ``swapcontext``, exception
 handling mechanisms, intrinsics such as ``__builtin_frame_address``, or
 low-level bugs in runtime support could leak the safe stack pointer. In the
 future, such leaks could be detected by static or dynamic analysis tools and
 prevented by adjusting such functions to either encrypt the stack pointer when
 storing it in the heap (as already done e.g., by ``setjmp``/``longjmp``
 implementation in glibc), or store it in a safe region instead.

 The `CPI paper <https://dslab.epfl.ch/pubs/cpi.pdf>`_ describes two alternative,
 stronger safe stack protection mechanisms, that rely on software fault
 isolation, or hardware segmentation (as available on x86-32 and some x86-64
 CPUs).

 At the moment, SafeStack assumes that the compiler's implementation is correct.
 This has not been verified except through manual code inspection, and could
 always regress in the future. It's therefore desirable to have a separate
 static or dynamic binary verification tool that would check the correctness of
 the SafeStack instrumentation in final binaries.

 Usage
 =====

 To enable SafeStack, just pass ``-fsanitize=safe-stack`` flag to both compile
 and link command lines.

 Supported Platforms
 -------------------

 SafeStack was tested on Linux, NetBSD, FreeBSD and macOS.

 Low-level API
 -------------

 ``__has_feature(safe_stack)``
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 In some rare cases one may need to execute different code depending on
 whether SafeStack is enabled. The macro ``__has_feature(safe_stack)`` can
 be used for this purpose.

 .. code-block:: c

     #if __has_feature(safe_stack)
     // code that builds only under SafeStack
     #endif

 ``__attribute__((no_sanitize("safe-stack")))``
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 Use ``__attribute__((no_sanitize("safe-stack")))`` on a function declaration
 to specify that the safe stack instrumentation should not be applied to that
 function, even if enabled globally (see ``-fsanitize=safe-stack`` flag). This
 attribute may be required for functions that make assumptions about the
 exact layout of their stack frames.

 All local variables in functions with this attribute will be stored on the safe
 stack. The safe stack remains unprotected against memory errors when accessing
 these variables, so extra care must be taken to manually ensure that all such
 accesses are safe. Furthermore, the addresses of such local variables should
 never be stored on the heap, as it would leak the location of the SafeStack.

 ``__builtin___get_unsafe_stack_ptr()``
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 This builtin function returns current unsafe stack pointer of the current
 thread.

 ``__builtin___get_unsafe_stack_bottom()``
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 This builtin function returns a pointer to the bottom of the unsafe stack of the
 current thread.

 ``__builtin___get_unsafe_stack_top()``
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 This builtin function returns a pointer to the top of the unsafe stack of the
 current thread.

 ``__builtin___get_unsafe_stack_start()``
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 Deprecated: This builtin function is an alias for
 ``__builtin___get_unsafe_stack_bottom()``.

 Design
 ======

 Please refer to the `Code-Pointer Integrity <https://dslab.epfl.ch/proj/cpi/>`__
 project page for more information about the design of the SafeStack and its
 related technologies.

 setjmp and exception handling
 -----------------------------

 The `OSDI'14 paper <https://dslab.epfl.ch/pubs/cpi.pdf>`_ mentions that
 on Linux the instrumentation pass finds calls to setjmp or functions that
 may throw an exception, and inserts required instrumentation at their call
 sites. Specifically, the instrumentation pass saves the shadow stack pointer
 on the safe stack before the call site, and restores it either after the
 call to setjmp or after an exception has been caught. This is implemented
 in the function ``SafeStack::createStackRestorePoints``.

 Publications
 ------------

 `Code-Pointer Integrity <https://dslab.epfl.ch/pubs/cpi.pdf>`__.
 Volodymyr Kuznetsov, Laszlo Szekeres, Mathias Payer, George Candea, R. Sekar, Dawn Song.
 USENIX Symposium on Operating Systems Design and Implementation
 (`OSDI <https://www.usenix.org/conference/osdi14>`_), Broomfield, CO, October 2014
	=========
	SafeStack
	=========

	.. contents::
	:local:

	Introduction
	============

	SafeStack is an instrumentation pass that protects programs against attacks
	based on stack buffer overflows, without introducing any measurable performance
	overhead. It works by separating the program stack into two distinct regions:
	the safe stack and the unsafe stack. The safe stack stores return addresses,
	register spills, and local variables that are always accessed in a safe way,
	while the unsafe stack stores everything else. This separation ensures that
	buffer overflows on the unsafe stack cannot be used to overwrite anything
	on the safe stack.

	SafeStack is a part of the `Code-Pointer Integrity (CPI) Project
	<https://dslab.epfl.ch/proj/cpi/>`_.

	Performance
	-----------

	The performance overhead of the SafeStack instrumentation is less than 0.1% on
	average across a variety of benchmarks (see the `Code-Pointer Integrity
	<https://dslab.epfl.ch/pubs/cpi.pdf>`__ paper for details). This is mainly
	because most small functions do not have any variables that require the unsafe
	stack and, hence, do not need unsafe stack frames to be created. The cost of
	creating unsafe stack frames for large functions is amortized by the cost of
	executing the function.

	In some cases, SafeStack actually improves the performance. Objects that end up
	being moved to the unsafe stack are usually large arrays or variables that are
	used through multiple stack frames. Moving such objects away from the safe
	stack increases the locality of frequently accessed values on the stack, such
	as register spills, return addresses, and small local variables.

	Compatibility
	-------------

	Most programs, static libraries, or individual files can be compiled
	with SafeStack as is. SafeStack requires basic runtime support, which, on most
	platforms, is implemented as a compiler-rt library that is automatically linked
	in when the program is compiled with SafeStack.

	Linking a DSO with SafeStack is not currently supported.

	Known compatibility limitations
	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

	Certain code that relies on low-level stack manipulations requires adaption to
	work with SafeStack. One example is mark-and-sweep garbage collection
	implementations for C/C++ (e.g., Oilpan in chromium/blink), which must be
	changed to look for the live pointers on both safe and unsafe stacks.

	SafeStack supports linking statically modules that are compiled with and
	without SafeStack. An executable compiled with SafeStack can load dynamic
	libraries that are not compiled with SafeStack. At the moment, compiling
	dynamic libraries with SafeStack is not supported.

	Signal handlers that use ``sigaltstack()`` must not use the unsafe stack (see
	``__attribute__((no_sanitize("safe-stack")))`` below).

	Programs that use APIs from ``ucontext.h`` are not supported yet.

	Security
	--------

	SafeStack protects return addresses, spilled registers and local variables that
	are always accessed in a safe way by separating them in a dedicated safe stack
	region. The safe stack is automatically protected against stack-based buffer
	overflows, since it is disjoint from the unsafe stack in memory, and it itself
	is always accessed in a safe way. In the current implementation, the safe stack
	is protected against arbitrary memory write vulnerabilities though
	randomization and information hiding: the safe stack is allocated at a random
	address and the instrumentation ensures that no pointers to the safe stack are
	ever stored outside of the safe stack itself (see limitations below).

	Known security limitations
	~~~~~~~~~~~~~~~~~~~~~~~~~~

	A complete protection against control-flow hijack attacks requires combining
	SafeStack with another mechanism that enforces the integrity of code pointers
	that are stored on the heap or the unsafe stack, such as `CPI
	<https://dslab.epfl.ch/proj/cpi/>`_, or a forward-edge control flow integrity
	mechanism that enforces correct calling conventions at indirect call sites,
	such as `IFCC <https://research.google.com/pubs/archive/42808.pdf>`_ with arity
	checks. Clang has control-flow integrity protection scheme for :doc:`C++ virtual
	calls <ControlFlowIntegrity>`, but not non-virtual indirect calls. With
	SafeStack alone, an attacker can overwrite a function pointer on the heap or
	the unsafe stack and cause a program to call arbitrary location, which in turn
	might enable stack pivoting and return-oriented programming.

	In its current implementation, SafeStack provides precise protection against
	stack-based buffer overflows, but protection against arbitrary memory write
	vulnerabilities is probabilistic and relies on randomization and information
	hiding. The randomization is currently based on system-enforced ASLR and shares
	its known security limitations. The safe stack pointer hiding is not perfect
	yet either: system library functions such as ``swapcontext``, exception
	handling mechanisms, intrinsics such as ``__builtin_frame_address``, or
	low-level bugs in runtime support could leak the safe stack pointer. In the
	future, such leaks could be detected by static or dynamic analysis tools and
	prevented by adjusting such functions to either encrypt the stack pointer when
	storing it in the heap (as already done e.g., by ``setjmp``/``longjmp``
	implementation in glibc), or store it in a safe region instead.

	The `CPI paper <https://dslab.epfl.ch/pubs/cpi.pdf>`_ describes two alternative,
	stronger safe stack protection mechanisms, that rely on software fault
	isolation, or hardware segmentation (as available on x86-32 and some x86-64
	CPUs).

	At the moment, SafeStack assumes that the compiler's implementation is correct.
	This has not been verified except through manual code inspection, and could
	always regress in the future. It's therefore desirable to have a separate
	static or dynamic binary verification tool that would check the correctness of
	the SafeStack instrumentation in final binaries.

	Usage
	=====

	To enable SafeStack, just pass ``-fsanitize=safe-stack`` flag to both compile
	and link command lines.

	Supported Platforms
	-------------------

	SafeStack was tested on Linux, NetBSD, FreeBSD and macOS.

	Low-level API
	-------------

	``__has_feature(safe_stack)``
	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

	In some rare cases one may need to execute different code depending on
	whether SafeStack is enabled. The macro ``__has_feature(safe_stack)`` can
	be used for this purpose.

	.. code-block:: c

	#if __has_feature(safe_stack)
	// code that builds only under SafeStack
	#endif

	``__attribute__((no_sanitize("safe-stack")))``
	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

	Use ``__attribute__((no_sanitize("safe-stack")))`` on a function declaration
	to specify that the safe stack instrumentation should not be applied to that
	function, even if enabled globally (see ``-fsanitize=safe-stack`` flag). This
	attribute may be required for functions that make assumptions about the
	exact layout of their stack frames.

	All local variables in functions with this attribute will be stored on the safe
	stack. The safe stack remains unprotected against memory errors when accessing
	these variables, so extra care must be taken to manually ensure that all such
	accesses are safe. Furthermore, the addresses of such local variables should
	never be stored on the heap, as it would leak the location of the SafeStack.

	``__builtin___get_unsafe_stack_ptr()``
	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

	This builtin function returns current unsafe stack pointer of the current
	thread.

	``__builtin___get_unsafe_stack_bottom()``
	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

	This builtin function returns a pointer to the bottom of the unsafe stack of the
	current thread.

	``__builtin___get_unsafe_stack_top()``
	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

	This builtin function returns a pointer to the top of the unsafe stack of the
	current thread.

	``__builtin___get_unsafe_stack_start()``
	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

	Deprecated: This builtin function is an alias for
	``__builtin___get_unsafe_stack_bottom()``.

	Design
	======

	Please refer to the `Code-Pointer Integrity <https://dslab.epfl.ch/proj/cpi/>`__
	project page for more information about the design of the SafeStack and its
	related technologies.

	setjmp and exception handling
	-----------------------------

	The `OSDI'14 paper <https://dslab.epfl.ch/pubs/cpi.pdf>`_ mentions that
	on Linux the instrumentation pass finds calls to setjmp or functions that
	may throw an exception, and inserts required instrumentation at their call
	sites. Specifically, the instrumentation pass saves the shadow stack pointer
	on the safe stack before the call site, and restores it either after the
	call to setjmp or after an exception has been caught. This is implemented
	in the function ``SafeStack::createStackRestorePoints``.

	Publications
	------------

	`Code-Pointer Integrity <https://dslab.epfl.ch/pubs/cpi.pdf>`__.
	Volodymyr Kuznetsov, Laszlo Szekeres, Mathias Payer, George Candea, R. Sekar, Dawn Song.
	USENIX Symposium on Operating Systems Design and Implementation
	(`OSDI <https://www.usenix.org/conference/osdi14>`_), Broomfield, CO, October 2014