Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

About

Stack clash is an exploit which utilized large frame allocations to "jump the guard page" creating a scenario where the heap and stack collided under attacker control.  This can be used to gain full control of a vulnerable application.  Stack probing techniques can be used to mitigate the vast majority of vulnerabilities in this space, but implementing them requires significant work for each and every target to be supported.


Stack class mitigations are a soft requirement for distributions such as Fedora and a hard requirement for Red Hat Enterprise Linux.


Plan is to start with a naive implementation that probes at the start of each function allocating stack space and each page beyond the first which gets allocated.  Once naive probing works we'll go back and adjust for probing of the outgoing argument space per the ABI requirements.  Once probing of the outgoing argument space is functional we can remove the explicit probe at the start of each function and only start probing with the function allocates PAGE_SIZE-1k or more of stack space.


Red Hat has agreed to make their annocheck code available which was used to test the stack clash mitigations on x86.  We'll evaluate if that can be repurposed for RISC-V.  If so, great, otherwise we'll do a by-hand scanner (which will probably be too fragile/ugly to release).   The goal is to scan every executable and dynamic object available in a distro such as Canonical, Debian, Fedora and flag any sequences that look like they may violate the requirements for stack clash mitigation.  Even the best scanners have had false positives, so we'll evaluate the output of whatever scanner tool we choose.



Stakeholders/Partners

RISE:

Ventana: Raphael Zinsly, lead developer.

Ventana: Jeff Law, oversight

Red Hat: Nick Clifton (provided the old x86 scanner tool)


External:



Dependencies


Status

Development

IN PROGRESS


Development TimelineNA
Upstreaming

NOT STARTED


Upstream Version





Contacts

Jeff Law (Ventana)


Dependencies

None



Updates

 

  • Implementation of naive protection making good progress.   Handles scalar and vector (following the aarch64 implementation for vector in particular)
  • Probing of outgoing argument area not started
  • Kito is aware of need to make minor changes to PSABI to document expectations from compilers

 

  • Project reported as priority for 1H2024.


  • No labels