Recent x86 CPUs offer functionality named Control-flow Enforcement
Technology (CET). A sub-feature of this are Shadow Stacks (CET-SS). CET-SS
is a hardware feature designed to protect against Return Oriented
Programming attacks. When enabled, traditional stacks holding both data and
return addresses are accompanied by so called “shadow stacks”, holding
little more than return addresses. Shadow stacks aren’t writable by normal
instructions, and upon function returns their contents are used to check
for possible manipulation of a return address coming from the traditional
stack. In particular certain memory accesses need intercepting by Xen. In
various cases the necessary emulation involves kind of replaying of the
instruction. Such replaying typically involves filling and then invoking of
a stub. Such a replayed instruction may raise an exceptions, which is
expected and dealt with accordingly. Unfortunately the interaction of both
of the above wasn’t right: Recovery involves removal of a call frame from
the (traditional) stack. The counterpart of this operation for the shadow
stack was missing.
Author | Note |
---|---|
mdeslaur | hypervisor packages are in universe. For issues in the hypervisor, add appropriate tags to each section, ex: Tags_xen: universe-binary |