riscv / riscv-cfi

This specification is integrated into the Priv. and Unpriv. specifications. This repo is no longer maintained. Please refer to the Priv. and Unpriv. specifications at https://github.com/riscv/riscv-isa-manual
https://lf-riscv.atlassian.net/browse/RVG-80
Creative Commons Attribution 4.0 International
86 stars 21 forks source link

Hidden Execution Path of Backward Edge CFI #47

Closed henry-hsieh closed 1 year ago

henry-hsieh commented 1 year ago

In this ROP attack paper, the authors managed to attack RISC-V using hidden execution path in the code. The return instructions return to the addresses which are not the instruction heads. This only happen when C extension is enabled. In this case, the attacker may find return instruction without the shadow stack protection to construct the gadgets.

ved-rivos commented 1 year ago

Thanks. This paper shows ROP technique that relies on corruption of the return address variable to start a ROP chain. Software techniques like stack canaries can be defeated has been demonstrated. Transferring control to invalid instructions including starting execution in middle of an instruction to create these hidden instructions is also a well known technique with unaligned ISA like x86 and risc-v (with C extension) - was originally shown by Shacham. Bypassing function prologues and hence checks as done in this paper by transferring to middle of the setuid function is also commonly used by code reuse attacks.

These threats and techniques are addressed by the RISC-V CFI extension with hardware enforced shadow stack and labeled landing pads to protect the control flow to ensure that return address variables are protected and control transfer occurs only to valid targets (and not middle of instructions) in the program. Please also see issue #25.

henry-hsieh commented 1 year ago

OK. Basically, the shadow stack is used to stop the starting return instruction of a ROP chain, which must be the main instruction instead of the hidden instruction, even though other gadgets may use hidden instructions. That why return instruction doesn't require ELP alike landing pad.

ved-rivos commented 1 year ago

Yes, the shadow stack provides a protected store for the return addresses so that returns can only be to instruction after a previous call.

henry-hsieh commented 1 year ago

Okay! I'll close the issue. Thanks for the help.