Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Stack clash is an exploit which utilized large frame allocations to "jump the guard page" creating a scenario where the heap and stack collided under attacker control.  This can be used to gain full control of a vulnerable application.  Stack probing techniques can be used to mitigate the vast majority of vulnerabilities in this space, but implementing them requires significant work for each and every target to be supported.


Stack class clash mitigations are a soft requirement for distributions such as Fedora and a hard requirement for Red Hat Enterprise Linux.

...

Red Hat has agreed to make their annocheck code available which was used to test the stack clash mitigations on x86.  We'll evaluate if that can be repurposed for RISC-V.  If so, great, otherwise we'll do a by-hand scanner (which will probably be too fragile/ugly to release).   The goal is to scan every executable and dynamic object available in a distro such as Canonical, Debian, Fedora and flag any sequences that look like they may violate the requirements for stack clash mitigation.  Even the best scanners have had false positives, so we'll evaluate the output of whatever scanner tool we choose.


It is expected that this work will begin once Raphael has completed the GCC implementation.


Stakeholders/Partners

RISE:

...

Page Properties


Development

Status
colourBlueGreen
titleIN PROGRESSCOMPLETE


Development TimelineNA
Upstreaming

Status
colourYellowBlue
titleNOT STARTEDIN PROGRESS


Upstream Version





Contacts

Jeff Law (Ventana)


Dependencies

None




Updates

29 Jan  

  • Implementation of naive protection making good progress.   Handles scalar and vector (following the aarch64 implementation for vector in particular)
  • Probing of outgoing argument area not started
  • Kito is aware of need to make minor changes to PSABI to document expectations from compilersRaphael will be opening an MR imminently to start external review of the stack clash implementation

 

  • Development work is complete
  • Raphael is working on another project for Ventana, so can't focus on upstreaming
  • Craig recommends posting it anyway for review

 

  • Moved to 2H2024

  • Basic work is considered complete
  • Currently porting tests from other architectures to work on RISC-V, fixing bugs that exposes
  • Hoping to start external review in the summer. 

 

  • Basic generation of probes is working in LLVM
  • Currently working on getting call-frame-information updated properly
  • After CFI fixes, need to add support for variable frames due to vector saves/restores

 

  • Raphael just getting started on an LLVM implementation

 

  • Project reported as priority for 1H2024.

...