With the increasing popularity of AArch64 processors in general-purpose computing, securing software running on AArch64 systems against control-flow hijacking attacks has become a critical part toward secure computation. Shadow stacks keep shadow copies of function return addresses and, when protected from illegal modifications and coupled with forward-edge control-flow integrity, form an effective and proven defense against such attacks. However, AArch64 lacks native support for write-protected shadow stacks, while software alternatives either incur prohibitive performance overhead or provide weak security guarantees. We present InversOS, the first hardware-assisted write-protected shadow stacks for AArch64 user-space applications, utilizing commonly available features of AArch64 to achieve efficient intra-address space isolation (called Privilege Inversion) required to protect shadow stacks. Privilege Inversion adopts unconventional design choices that run protected applications in the kernel mode and mark operating system (OS) kernel memory as user-accessible; InversOS therefore uses a novel combination of OS kernel modifications, compiler transformations, and another AArch64 feature to ensure the safety of doing so and to support legacy applications. We show that InversOS is secure by design, effective against various control-flow hijacking attacks, and performant on selected benchmarks and applications (incurring overhead of 7.0% on LMBench, 7.1% on SPEC CPU 2017, and 3.0% on Nginx web server).

翻译：随着AArch64处理器在通用计算领域的日益普及，保护运行于AArch64系统上的软件免受控制流劫持攻击已成为安全计算的关键环节。影子栈维护函数返回地址的影子副本，当受到非法篡改保护并与前向边控制流完整性结合时，可形成针对此类攻击的有效且经过验证的防御机制。然而，AArch64缺乏对写保护影子栈的原生支持，而软件替代方案要么带来过高的性能开销，要么提供较弱的安全保证。我们提出InversOS——首个面向AArch64用户空间应用的硬件辅助写保护影子栈，利用AArch64通用特性实现保护影子栈所需的高效地址空间内隔离（称为"特权反转"）。特权反转采用非常规设计，使受保护应用在内核模式下运行，并将操作系统（OS）内核内存标记为用户可访问；因此，InversOS通过操作系统内核修改、编译器变换及另一项AArch64特性的创新结合，确保此设计的安全性并支持遗留应用。我们证明，InversOS在设计上具有安全性，可有效防御多种控制流劫持攻击，并在选定基准测试与应用中展现出高性能（LMBench基准测试开销为7.0%，SPEC CPU 2017为7.1%，Nginx Web服务器为3.0%）。