With the increasing popularity of AArch64 processors in general-purpose computing, securing software running on AArch64 systems against control-flow hijacking attacks has become a critical part toward secure computation. Shadow stacks keep shadow copies of function return addresses and, when protected from illegal modifications and coupled with forward-edge control-flow integrity, form an effective and proven defense against such attacks. However, AArch64 lacks native support for write-protected shadow stacks, while software alternatives either incur prohibitive performance overhead or provide weak security guarantees. We present InversOS, the first hardware-assisted write-protected shadow stacks for AArch64 user-space applications, utilizing commonly available features of AArch64 to achieve efficient intra-address space isolation (called Privilege Inversion) required to protect shadow stacks. Privilege Inversion adopts unconventional design choices that run protected applications in the kernel mode and mark operating system (OS) kernel memory as user-accessible; InversOS therefore uses a novel combination of OS kernel modifications, compiler transformations, and another AArch64 feature to ensure the safety of doing so and to support legacy applications. We show that InversOS is secure by design, effective against various control-flow hijacking attacks, and performant on selected benchmarks and applications (incurring overhead of 7.0% on LMBench, 7.1% on SPEC CPU 2017, and 3.0% on Nginx web server).

翻译：随着AArch64处理器在通用计算领域的日益普及，保护运行于AArch64系统上的软件免受控制流劫持攻击已成为安全计算的关键环节。影子栈通过维护函数返回地址的副本，并在防止非法修改的基础上结合前向边控制流完整性，形成了一种有效且经过验证的防御手段。然而，AArch64缺乏对写保护影子栈的原生支持，而软件替代方案要么性能开销过高，要么安全保障薄弱。我们提出InversOS——首个利用硬件辅助实现AArch64用户空间应用写保护影子栈的系统。它借助AArch64常用特性，实现保护影子栈所需的高效地址空间内隔离（称为“权限反转”）。权限反转采用了非常规设计：将受保护应用运行于内核模式，并将操作系统内核内存标记为用户可访问。为此，InversOS创新性地结合了操作系统内核修改、编译器变换及另一项AArch64特性，以确保该方案的安全性并支持遗留应用。实验表明，InversOS具有设计安全性，能有效抵御多种控制流劫持攻击，并在选定基准测试与应用中表现出高性能（LMBench开销7.0%，SPEC CPU 2017开销7.1%，Nginx Web服务器开销3.0%）。