[jnwatson]

I'll add on since this is the most informative post so far (and I've written a static binary re-writer to add shadow stack protection to an existing binary).

A shadow stack is a limited subset of the call stack that only stores return addresses. In normal operation, Every time your compiled program makes a function call, it stores the return address on the main call stack (modulo certain compiler optimizations) so that when the called function returns, your program can resume executing directly after the point at which it called the function.

With a shadow stack, when a function is called, the return address is copied to a separate "shadow" stack as well as the call stack. When the called function returns, the return address on the two stacks are compared and the program fails if they are different.

In new Intel microprocessors, the shadow stack is implemented in hardware. The numerous corner cases require software support that the article describes.

[codys]

Can you provide some details on your binary rewriter to add shadow stack support? Was this a pure software approach, or was it designed to take advantage of the support in new intel microprocessors? Do you have a write up of or can you give a quick overview of your methodology? Is the source code published somewhere?

[jnwatson]

No, it was proprietary code, and it wasn't for an Intel processor. It was a pure software approach, but the particular (embedded) environment made it harder to attack the shadow stack itself.

I had a pretty cool optimization that I don't think anyone's figured out yet. Oh well. That's the downside of software-as-trade-secrets.

[saagarjha]

Can you name it, so we can find it ourselves? ;)

[staticassertion]

Oh yeah, I completely glossed over the whole shadow/safestack mitigation. Thanks.