LIS25-324 From The Shadows: Guarded Control Stacks on AArch64

• Friday, 16 May 12:40 - 13:05
• Room: Session Room 1 | Esmeralda I & II

Return Oriented Programming (ROP) is a powerful technique where attackers divert a program by modifying a function's return address. Then by returning through a chain of code snippets found in the binary ("gadgets") they can make programs behave maliciously. There are many causes of return address corruption and many mitigations. Stack Protectors, Pointer Authentication, secure programming practices and entirely different programming models like CHERI's capabilities. Another is the Shadow Stack. Arm v9.4-a brings the Guarded Control Stack (GCS) extension, which is Arm's hardware implementation of this concept. With GCS, the normal stack and the return stack are separated. Enabling the processor to detect when an invalid return address is used, in a lightweight manner, with minimal modifications to existing software. In this presentation I will show how a ROP attack might start, briefly cover existing mitigations, then compare them to GCS, which I will explain in detail. Showing step-by-step how GCS prevents these attacks. The audience will gain an understanding of GCS and how to try it on their own software.

Download Slides

Add to My Agenda