It's a mitigation for a software exploitation technique called Return Oriented Programming (ROP). The mitigation is referred to as 'Control Flow Integrity' (CFI).

https://software.intel.com/content/www/us/en/develop/article...

Essentially an attacker who has the ability to exploit the first stage of a vulnerability will be able to stitch together "gadgets" from the program to build up a second stage of the exploit.

Control flow integrity, to my understanding, applies a validation or restriction of the program's call graph. This limits the attackers ability to just stitch up their own arbitrary call graph. There are 'forward edge' protections (calling a function) and 'reverse edge' protections (ret). But of course there are more ways to control the flow of a program, as this document discusses - like longjmp.

I won't try to get more detailed as I'm not an expert. Hopefully this will help you find more information.

I'll add on since this is the most informative post so far (and I've written a static binary re-writer to add shadow stack protection to an existing binary).

A shadow stack is a limited subset of the call stack that only stores return addresses. In normal operation, Every time your compiled program makes a function call, it stores the return address on the main call stack (modulo certain compiler optimizations) so that when the called function returns, your program can resume executing directly after the point at which it called the function.

With a shadow stack, when a function is called, the return address is copied to a separate "shadow" stack as well as the call stack. When the called function returns, the return address on the two stacks are compared and the program fails if they are different.

In new Intel microprocessors, the shadow stack is implemented in hardware. The numerous corner cases require software support that the article describes.

Can you provide some details on your binary rewriter to add shadow stack support? Was this a pure software approach, or was it designed to take advantage of the support in new intel microprocessors? Do you have a write up of or can you give a quick overview of your methodology? Is the source code published somewhere?

No, it was proprietary code, and it wasn't for an Intel processor. It was a pure software approach, but the particular (embedded) environment made it harder to attack the shadow stack itself.

I had a pretty cool optimization that I don't think anyone's figured out yet. Oh well. That's the downside of software-as-trade-secrets.

Can you name it, so we can find it ourselves? ;)

Oh yeah, I completely glossed over the whole shadow/safestack mitigation. Thanks.

IDK, but it's because security.

Judging by the title, it helps avoiding ROP: "Return-oriented programming is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing." (Wikipedia)

Using ROP techniques in a binary bypasses a lot of stuff such as ASLR, canaries and even DEP (I think...).

I’ve seen ROP exploitation in binaries and is pretty handy when there is no other way to get a setuid binary to give you a shell as root.

Watch Rope from ippsec on YT (on my phone atm).

ROP does not bypass ASLR or canaries. It does bypass DEP/NX in the sense that it executes code that already exists in executable memory.

Agree re: canaries, but when I learned about ROP I was told that ASLR typically is not employed on the text segment (due to lack of position independence) which is why ROP effectively acts a bypass for ASLR on the stack / heap and why we need things like control flow enforcement. Is this not the case or no longer the case?

Gcc these days compiles with -pie (Position Independent Executable) by default. This makes the text section position independent and able to be relocated, like a shared library.

You are correct that the main TEXT section used to typically not be position independent.

Not only is the text segment relocatable, the entire binary is generally compiled as ET_DYN so it is a shared library in a sense.

Windows uses relocations, not PIC, to enable different load addresses. That means the image in memory has its self references patched by adding the difference between compiled in load address and runtime load address. System DLLs can still share code with one another as long as they share the same load address in different processes for that reboot of the operating system.

Historically EXEs were either linked without relocations or had relocations stripped. They were always loaded first so ended up where they wanted, no relocation necessary. But /dynamicbase flag to linker opts in to setting a bit in the PE header and retaining relocations, so the EXE can be loaded elsewhere.

TL;DR: Windows supports ASLR on both executables and dynamic libraries.

ASLRing text segments is optional, but possible. There are negative performance tradeoffs.

There are limitations in sharing text segments in different processes, and extra memory usage mapping in text segments so relocations can be, uh, relocated, but once running there is no additional performance overhead. The runtime image is effectively "self-modified code" by the OS loader, patched to final addresses. No PIC register, no indirect references.

Right. You've described the performance impact: a ton of relocations hurts startup time, and the modified memory reduces sharing, costing additional memory. If startup time does not matter and memory is free, sure, it has no costs.

Yeah; a linear scan over what, possibly as many as a couple of megabytes. I bet that takes a while.

(Seriously? :-)

TLDR ROP is common technique for making programs do bad things so this prevents a whole bunch of bad things from happening.