{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,28]],"date-time":"2025-11-28T12:33:07Z","timestamp":1764333187229,"version":"3.41.0"},"reference-count":77,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2022,10,7]],"date-time":"2022-10-07T00:00:00Z","timestamp":1665100800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100000923","name":"Australian Research Council","doi-asserted-by":"crossref","award":["DP180104069 and DP210102409"],"award-info":[{"award-number":["DP180104069 and DP210102409"]}],"id":[{"id":"10.13039\/501100000923","id-type":"DOI","asserted-by":"crossref"}]},{"name":"UNSW-Huawei","award":["YBN2019105002"],"award-info":[{"award-number":["YBN2019105002"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Archit. Code Optim."],"published-print":{"date-parts":[[2022,12,31]]},"abstract":"\n Control-Flow Integrity (CFI) techniques focus often on protecting forward edges and assume that backward edges are protected by shadow stacks. However, software-based shadow stacks that can provide performance, security, and compatibility are still hard to obtain, leaving an important security gap on x86-64. In this article, we introduce a simple, efficient, and effective parallel shadow stack design (based on LLVM),\n FlashStack<\/jats:sc>\n , for protecting return addresses in single- and multi-threaded programs running under 64-bit Linux on x86-64, with three distinctive features. First, we introduce a novel dual-prologue approach to enable a protected function to thwart the TOCTTOU attacks, which are constructed by Microsoft\u2019s red team and lead to the deprecation of Microsoft\u2019s RFG. Second, we design a new mapping mechanism,\n Segment+Rsp-S<\/jats:sc>\n , to allow the parallel shadow stack to be accessed efficiently while satisfying the constraints of\n arch_prctl()<\/jats:monospace>\n and ASLR in 64-bit Linux. Finally, we introduce a lightweight inspection mechanism,\n SideChannel-K<\/jats:sc>\n , to harden\n FlashStack<\/jats:sc>\n further by detecting entropy-reduction attacks efficiently and protecting the parallel shadow stack effectively with a 10-ms shuffling policy. Our evaluation on\n SPEC CPU2006<\/jats:monospace>\n ,\n Nginx,<\/jats:monospace>\n and\n Firefox<\/jats:monospace>\n shows that\n FlashStack<\/jats:sc>\n can provide high performance, meaningful security, and reasonable compatibility for server- and client-side programs on x86-64.\n <\/jats:p>","DOI":"10.1145\/3556977","type":"journal-article","created":{"date-parts":[[2022,8,16]],"date-time":"2022-08-16T12:34:36Z","timestamp":1660653276000},"page":"1-26","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":9,"title":["Practical Software-Based Shadow Stacks on x86-64"],"prefix":"10.1145","volume":"19","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3371-2138","authenticated-orcid":false,"given":"Changwei","family":"Zou","sequence":"first","affiliation":[{"name":"UNSW Sydney Macau University of Science and Technology, Macau, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5392-5088","authenticated-orcid":false,"given":"Yaoqing","family":"Gao","sequence":"additional","affiliation":[{"name":"Huawei Toronto Research Center, Markham, ON, Canada"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0380-3506","authenticated-orcid":false,"given":"Jingling","family":"Xue","sequence":"additional","affiliation":[{"name":"UNSW Sydney, NSW, Australia"}]}],"member":"320","published-online":{"date-parts":[[2022,10,7]]},"reference":[{"key":"e_1_3_1_2_2","unstructured":"Microsoft Security Response Center. 2018. The Evolution of CFI Attacks and Defenses. Retrieved July 18 2022 from https:\/\/github.com\/microsoft\/MSRC-Security-Research\/tree\/master\/presentations\/2018_02_OffensiveCon."},{"key":"e_1_3_1_3_2","unstructured":"Wikipedia. 2020. Tiger Lake. Retrieved July 18 2022 from https:\/\/en.wikipedia.org\/wiki\/Tiger_Lake_(microprocessor)."},{"key":"e_1_3_1_4_2","unstructured":"The PaX Team. 2001. Address Space Layout Randomization. Retrieved July 18 2022 from https:\/\/pax.grsecurity.net\/docs\/aslr.txt."},{"key":"e_1_3_1_5_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23173"},{"key":"e_1_3_1_6_2","first-page":"367","volume-title":"Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation","author":"Williams-King David","year":"2016","unstructured":"David Williams-King, Graham Gobieski, Kent Williams-King, James P. Blake, Xinhao Yuan, Patrick Colp, Michelle Zheng, Vasileios P. Kemerlis, Junfeng Yang, and William Aiello. 2016. Shuffler: Fast and deployable continuous code re-randomization. In Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation. 367\u2013382."},{"key":"e_1_3_1_7_2","doi-asserted-by":"publisher","DOI":"10.1145\/1102120.1102165"},{"key":"e_1_3_1_8_2","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660281"},{"key":"e_1_3_1_9_2","doi-asserted-by":"publisher","DOI":"10.1145\/3377811.3380439"},{"key":"e_1_3_1_10_2","doi-asserted-by":"publisher","DOI":"10.1145\/2714576.2714635"},{"key":"e_1_3_1_11_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00076"},{"key":"e_1_3_1_12_2","doi-asserted-by":"publisher","DOI":"10.1145\/1255329.1255344"},{"key":"e_1_3_1_13_2","doi-asserted-by":"publisher","DOI":"10.5555\/3241094.3241105"},{"key":"e_1_3_1_14_2","first-page":"1","volume-title":"Proceedings of the Black Hat Europe","author":"Goktas Enes","year":"2016","unstructured":"Enes Goktas, Angelos Oikonomopoulos, Robert Gawlik, Benjamin Kollenda, Elias Athanasopoulos, Georgios Portokalidis, Cristiano Giuffrida, and Herbert Bos. 2016. Bypassing clang\u2019s SafeStack for fun and profit. In Proceedings of the Black Hat Europe. 1\u201376."},{"key":"e_1_3_1_15_2","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813691"},{"key":"e_1_3_1_16_2","first-page":"161","volume-title":"Proceedings of the 24th USENIX Security Symposium","author":"Carlini Nicolas","year":"2015","unstructured":"Nicolas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross. 2015. Control-flow bending: On the effectiveness of control-flow integrity. In Proceedings of the 24th USENIX Security Symposium. 161\u2013176."},{"key":"e_1_3_1_17_2","first-page":"401","volume-title":"Proceedings of the 23rd USENIX Security Symposium","author":"Davi Lucas","year":"2014","unstructured":"Lucas Davi, Ahmad-Reza Sadeghi, Daniel Lehmann, and Fabian Monrose. 2014. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In Proceedings of the 23rd USENIX Security Symposium. 401\u2013416."},{"key":"e_1_3_1_18_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2016.24"},{"key":"e_1_3_1_19_2","unstructured":"The Clang Team. 2021. ShadowCallStack. Retrieved July 18 2022 from https:\/\/clang.llvm.org\/docs\/ShadowCallStack.html."},{"key":"e_1_3_1_20_2","doi-asserted-by":"publisher","DOI":"10.5555\/876878.879316"},{"key":"e_1_3_1_21_2","doi-asserted-by":"publisher","DOI":"10.1145\/3494516"},{"key":"e_1_3_1_22_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.62"},{"key":"e_1_3_1_23_2","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243739"},{"key":"e_1_3_1_24_2","unstructured":"Mary Branscombe. 2020. Windows 10 Security: How the Shadow Stack will Help to Keep the Hackers at Bay. Retrieved July 18 2022 from https:\/\/www.techrepublic.com\/article\/windows-10-security-how-the-shadow-stack-will-help-to-keep-the-hackers-at-bay\/."},{"key":"e_1_3_1_25_2","unstructured":"Linux Kernel Documents. 2021. Using FS and GS Segments in User Space Applications. Retrieved July 18 2022 from https:\/\/www.kernel.org\/doc\/html\/latest\/x86\/x86_64\/fsgs.html."},{"key":"e_1_3_1_26_2","unstructured":"Linux Manual Pages. 2021. Set Architecture-specific Thread State. Retrieved July 18 2022 from https:\/\/man7.org\/linux\/man-pages\/man2\/arch_prctl.2.html."},{"key":"e_1_3_1_27_2","first-page":"1","volume-title":"Proceedings of the Symposium on Network and Distributed System Security","author":"Gras Ben","year":"2017","unstructured":"Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos, and Cristiano Giuffrida. 2017. ASLR on the line: Practical cache attacks on the MMU. In Proceedings of the Symposium on Network and Distributed System Security. 1\u201315."},{"key":"e_1_3_1_28_2","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978374"},{"key":"e_1_3_1_29_2","doi-asserted-by":"publisher","DOI":"10.1145\/2818000.2818023"},{"key":"e_1_3_1_30_2","unstructured":"Linux manual page. [n. d.]. getcontext(3). Retrieved July 18 2022 from https:\/\/man7.org\/linux\/man-pages\/man3\/getcontext.3.html."},{"key":"e_1_3_1_31_2","first-page":"1239","volume-title":"Proceedings of the 28th USENIX Security Symposium","author":"Wang Zhe","year":"2019","unstructured":"Zhe Wang, Chenggang Wu, Yinqian Zhang, Bowen Tang, Pen-Chung Yew, Mengyao Xie, Yuanming Lai, Yan Kang, Yueqiang Cheng, and Zhiping Shi. 2019. Safehidden: An efficient and secure information hiding technique using re-randomization. In Proceedings of the 28th USENIX Security Symposium. 1239\u20131256."},{"key":"e_1_3_1_32_2","first-page":"1","volume-title":"Proceedings of the Symposium on Network and Distributed System Security","author":"Gawlik Robert","year":"2016","unstructured":"Robert Gawlik, Benjamin Kollenda, Philipp Koppe, Behrad Garmany, and Thorsten Holz. 2016. Enabling client-side crash-resistance to overcome diversification and information hiding. In Proceedings of the Symposium on Network and Distributed System Security. 1\u201315."},{"key":"e_1_3_1_33_2","unstructured":"H. Tankovska. 2021. Daily Time Spent on Social Networking by Internet Users Worldwide from 2012 to 2020. Retrieved July 18 2022 from https:\/\/www.statista.com\/statistics\/433871\/daily-social-media-usage-worldwide\/."},{"key":"e_1_3_1_34_2","first-page":"1","volume-title":"Proceedings of the Symposium on Network and Distributed System Security","author":"Zhang Chao","year":"2016","unstructured":"Chao Zhang, Dawn Song, Scott A. Carr, Mathias Payer, Tongxin Li, Yu Ding, and Chengyu Song. 2016. VTrust: Regaining trust on virtual calls. In Proceedings of the Symposium on Network and Distributed System Security. 1\u201315."},{"key":"e_1_3_1_35_2","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813644"},{"key":"e_1_3_1_36_2","unstructured":"Microsoft. 2018. Data Execution Prevention. Retrieved July 18 2022 from https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/memory\/data-execution-prevention."},{"key":"e_1_3_1_37_2","first-page":"973","volume-title":"Proceedings of the 27th USENIX Security Symposium","author":"Lipp Moritz","year":"2018","unstructured":"Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown: Reading kernel memory from user space. In Proceedings of the 27th USENIX Security Symposium. 973\u2013990."},{"key":"e_1_3_1_38_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00002"},{"key":"e_1_3_1_39_2","doi-asserted-by":"publisher","DOI":"10.1145\/3374664.3375734"},{"key":"e_1_3_1_40_2","unstructured":"Drepper Ulrich. 2013. ELF Handling for Thread-Local Storage. Retrieved July 18 2022 from https:\/\/akkadia.org\/drepper\/tls.pdf."},{"key":"e_1_3_1_41_2","unstructured":"Michal Zalewski. 2021. American Fuzzy Lop (AFL) Fuzzer. Retrieved from http:\/\/lcamtuf.coredump.cx\/afl\/."},{"key":"e_1_3_1_42_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134020"},{"key":"e_1_3_1_43_2","doi-asserted-by":"crossref","unstructured":"Eyal Itkin. 2017. Bypassing Return Flow Guard. Retrieved July 18 2022 from https:\/\/eyalitkin.wordpress.com\/2017\/08\/18\/bypassing-return-flow-guard-rfg\/.","DOI":"10.1071\/PVv2017n188newsp18"},{"key":"e_1_3_1_44_2","unstructured":"mmap. [n. d.]. Linux Manual Page. Retrieved July 18 2022 from https:\/\/man7.org\/linux\/man-pages\/man2\/mmap.2.html."},{"key":"e_1_3_1_45_2","first-page":"241","volume-title":"Proceedings of the 2019 USENIX Annual Technical Conference","author":"Park Soyeon","year":"2019","unstructured":"Soyeon Park, Sangho Lee, Wen Xu, Hyungon Moon, and Taesoo Kim. 2019. libmpk: Software abstraction for intel memory protection keys. In Proceedings of the 2019 USENIX Annual Technical Conference. 241\u2013254."},{"key":"e_1_3_1_46_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2019.00031"},{"key":"e_1_3_1_47_2","unstructured":"Mozilla Wiki. 2016. Security\/Sandbox\/Seccomp. Retrieved July 18 2022 from https:\/\/wiki.mozilla.org\/Security\/Sandbox\/Seccomp."},{"key":"e_1_3_1_48_2","unstructured":"LLVM Documents. 2021. Safe Stack. Retrieved July 18 2022 from https:\/\/clang.llvm.org\/docs\/SafeStack.html."},{"key":"e_1_3_1_49_2","unstructured":"Bastien Abadie and Sylvestre Ledru. 2020. Engineering Code Quality in the Firefox Browser. Retrieved July 18 2022 from https:\/\/hacks.mozilla.org\/2020\/04\/code-quality-tools-at-mozilla\/."},{"key":"e_1_3_1_50_2","unstructured":"WINE. 2021. What is Wine? Retrieved July 18 2022 from https:\/\/www.winehq.org\/."},{"key":"e_1_3_1_51_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-45719-2_2"},{"key":"e_1_3_1_52_2","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417867"},{"key":"e_1_3_1_53_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2019.00121"},{"key":"e_1_3_1_54_2","first-page":"1","volume-title":"Proceedings of the Symposium on Network and Distributed System Security","author":"Bauman Erick","year":"2018","unstructured":"Erick Bauman, Zhiqiang Lin, and Kevin W. Hamlen. 2018. Superset disassembly: Statically rewriting x86 binaries without heuristics. In Proceedings of the Symposium on Network and Distributed System Security. 1\u201315."},{"key":"e_1_3_1_55_2","doi-asserted-by":"publisher","DOI":"10.5555\/3489212.3489273"},{"key":"e_1_3_1_56_2","volume-title":"Proceedings of the Symposium on Network and Distributed System Security","author":"Kim Sun Hyoung","year":"2021","unstructured":"Sun Hyoung Kim, Cong Sun, Dongrui Zeng, and Gang Tan. 2021. Refining indirect call targets at the binary level. In Proceedings of the Symposium on Network and Distributed System Security."},{"key":"e_1_3_1_57_2","doi-asserted-by":"publisher","DOI":"10.1145\/1065010.1065034"},{"key":"e_1_3_1_58_2","doi-asserted-by":"publisher","DOI":"10.1145\/1250734.1250746"},{"key":"e_1_3_1_59_2","unstructured":"Aleph One. 1996. Smashing the Stack for Fun and Profit. Retrieved July 18 2022 from http:\/\/phrack.org\/issues\/49\/14.html."},{"key":"e_1_3_1_60_2","first-page":"1","volume-title":"Proceedings of the 7th USENIX Security Symposium","author":"Cowan Crispin","year":"1998","unstructured":"Crispin Cowan, Calton Pu, Dave Maier, Heather Hintony, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, and Qian Zhang. 1998. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Symposium. 1\u201316."},{"key":"e_1_3_1_61_2","doi-asserted-by":"publisher","DOI":"10.5555\/2685048.2685061"},{"key":"e_1_3_1_62_2","first-page":"1","volume-title":"Proceedings of the Symposium on Network and Distributed System Security","author":"Chen Xi","year":"2015","unstructured":"Xi Chen, Asia Slowinska, Dennis Andriesse, Herbert Bos, and Cristiano Giuffrida. 2015. StackArmor: Comprehensive protection from stack-based memory error vulnerabilities for binaries. In Proceedings of the Symposium on Network and Distributed System Security. 1\u201315."},{"key":"e_1_3_1_63_2","doi-asserted-by":"publisher","DOI":"10.1145\/3196494.3196531"},{"key":"e_1_3_1_64_2","unstructured":"STMicroelectronics. [n. d.]. STM32 32-bit Arm Cortex MCUs. Retrieved July 18 2022 from https:\/\/www.st.com\/en\/microcontrollers-microprocessors\/stm32-32-bit-arm-cortex-mcus.html."},{"key":"e_1_3_1_65_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2013.44"},{"key":"e_1_3_1_66_2","doi-asserted-by":"publisher","DOI":"10.5555\/2534766.2534805"},{"key":"e_1_3_1_67_2","first-page":"1","volume-title":"Proceedings of the Symposium on Network and Distributed System Security","author":"Cheng Yueqiang","year":"2014","unstructured":"Yueqiang Cheng, Zongwei Zhou, Yu Miao, Xuhua Ding, and Robert H. Deng. 2014. ROPecker: A generic and practical approach for defending against ROP attack. In Proceedings of the Symposium on Network and Distributed System Security. 1\u201314."},{"key":"e_1_3_1_68_2","first-page":"941","volume-title":"Proceedings of the 23rd USENIX Security Symposium","author":"Tice Caroline","year":"2014","unstructured":"Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, \u00dalfar Erlingsson, Luis Lozano, and Geoff Pike. 2014. Enforcing forward-edge control-flow integrity in GCC & LLVM. In Proceedings of the 23rd USENIX Security Symposium. 941\u2013955."},{"key":"e_1_3_1_69_2","unstructured":"Changwei Zou. 2022. FlashStack. Retrieved July 18 2022 from https:\/\/github.com\/sheisc\/FlashStack."},{"key":"e_1_3_1_70_2","doi-asserted-by":"publisher","DOI":"10.1145\/948109.948146"},{"key":"e_1_3_1_71_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2006.9"},{"key":"e_1_3_1_72_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.41"},{"key":"e_1_3_1_73_2","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813694"},{"key":"e_1_3_1_74_2","doi-asserted-by":"publisher","DOI":"10.5555\/2362793.2362833"},{"key":"e_1_3_1_75_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.25"},{"key":"e_1_3_1_76_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2013.45"},{"key":"e_1_3_1_77_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.22"},{"key":"e_1_3_1_78_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00029"}],"container-title":["ACM Transactions on Architecture and Code Optimization"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3556977","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3556977","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T22:48:52Z","timestamp":1750286932000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3556977"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,10,7]]},"references-count":77,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2022,12,31]]}},"alternative-id":["10.1145\/3556977"],"URL":"https:\/\/doi.org\/10.1145\/3556977","relation":{},"ISSN":["1544-3566","1544-3973"],"issn-type":[{"type":"print","value":"1544-3566"},{"type":"electronic","value":"1544-3973"}],"subject":[],"published":{"date-parts":[[2022,10,7]]},"assertion":[{"value":"2021-12-07","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-08-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-10-07","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}