|
| 1 | +# FlashStack: Practical Software-Based Parallel Shadow Stacks on x86-64 |
| 2 | + |
| 3 | +```sh |
| 4 | +We use LLVM 7.0 and rustc 1.43. |
| 5 | + |
| 6 | +The following MACRO in FlashStack/spa.h is a switch for instrumenting call instructions. |
| 7 | + |
| 8 | +// direct call / indirect call instrumented |
| 9 | +#define ENABLE_GS_RSP_CALL_INSTRUMENTED |
| 10 | +``` |
| 11 | + |
| 12 | +## 1. How to Build and Use FlashStack on Your Own Machine from Scratch |
| 13 | + |
| 14 | +#### (1) Install Rustc and Set the Default Version to Be 1.43 |
| 15 | + |
| 16 | +```sh |
| 17 | +iron@CSE:~$ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh |
| 18 | + |
| 19 | +iron@CSE:~$ rustup toolchain install 1.43 |
| 20 | + |
| 21 | +iron@CSE:~$ rustup default 1.43 |
| 22 | + |
| 23 | +# iron@CSE:~$ rustup self uninstall |
| 24 | +``` |
| 25 | +#### (2) Build FlashStack on Your Own Machine |
| 26 | + |
| 27 | +##### Open a New Terminal |
| 28 | + |
| 29 | +```sh |
| 30 | +iron@CSE:~$ cd github |
| 31 | + |
| 32 | +iron@CSE:github$ pwd |
| 33 | + |
| 34 | +/home/iron/github |
| 35 | + |
| 36 | +iron@CSE:github$ git clone https://github.com/sheisc/FlashStack.git |
| 37 | + |
| 38 | +iron@CSE:github$ cd FlashStack |
| 39 | + |
| 40 | +iron@CSE:FlashStack$ . ./env.sh |
| 41 | + |
| 42 | +iron@CSE:FlashStack$ ./build.sh |
| 43 | +``` |
| 44 | + |
| 45 | +#### (3) How to Use FlashStack to Build a Demo Project |
| 46 | + |
| 47 | +##### Open a New Terminal |
| 48 | + |
| 49 | +```sh |
| 50 | +iron@CSE:~$ cd github/FlashStack/ |
| 51 | + |
| 52 | +iron@CSE:FlashStack$ . ./runtime.sh |
| 53 | + |
| 54 | +iron@CSE:FlashStack$ cd demo/ |
| 55 | + |
| 56 | +iron@CSE:demo$ make CC=spa-clang CXX=spa-clang++ |
| 57 | + |
| 58 | + |
| 59 | +spa-clang -c main.c -o main.o |
| 60 | +spa-cc 0.01 |
| 61 | +spa-as 0.01 |
| 62 | + |
| 63 | +###SPA_FUNCNAME### test |
| 64 | + |
| 65 | +###SPA_FUNCNAME### main |
| 66 | +###SPA### /tmp/main-a98b95.s contains main(). |
| 67 | +[+] Instrumented 2 locations (2-startproc, 2-endproc, 64-bit, non-hardened mode, ratio 100%). |
| 68 | +objdump -d ./main.o |
| 69 | + |
| 70 | +./main.o: file format elf64-x86-64 |
| 71 | + |
| 72 | + |
| 73 | +Disassembly of section .text: |
| 74 | + |
| 75 | +0000000000000000 <test>: |
| 76 | + 0: 4c 8b 1c 24 mov (%rsp),%r11 |
| 77 | + 4: 49 ba 00 00 00 00 00 movabs $0xffff800000000000,%r10 |
| 78 | + b: 80 ff ff |
| 79 | + e: 65 4e 89 1c 14 mov %r11,%gs:(%rsp,%r10,1) |
| 80 | + 13: 55 push %rbp |
| 81 | + 14: 48 89 e5 mov %rsp,%rbp |
| 82 | + 17: 48 83 ec 10 sub $0x10,%rsp |
| 83 | + 1b: 48 bf 00 00 00 00 00 movabs $0x0,%rdi |
| 84 | + 22: 00 00 00 |
| 85 | + 25: b0 00 mov $0x0,%al |
| 86 | + 27: e8 00 00 00 00 callq 2c <test+0x2c> |
| 87 | + 2c: 89 45 fc mov %eax,-0x4(%rbp) |
| 88 | + 2f: 48 83 c4 10 add $0x10,%rsp |
| 89 | + 33: 5d pop %rbp |
| 90 | + 34: 49 ba 00 00 00 00 00 movabs $0xffff800000000000,%r10 |
| 91 | + 3b: 80 ff ff |
| 92 | + 3e: 48 83 c4 08 add $0x8,%rsp |
| 93 | + 42: 65 42 ff 64 14 f8 jmpq *%gs:-0x8(%rsp,%r10,1) |
| 94 | + 48: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1) |
| 95 | + 4f: 00 |
| 96 | + |
| 97 | +... |
| 98 | + |
| 99 | +``` |
| 100 | + |
| 101 | + |
| 102 | + |
| 103 | +#### (4) How to Use FlashStack to Build Nginx |
| 104 | + |
| 105 | +##### Open a New Terminal |
| 106 | + |
| 107 | +##### (a) Normal Build and Get the Function Names |
| 108 | + |
| 109 | +```sh |
| 110 | + |
| 111 | +iron@CSE:~$ cd github/FlashStack/ |
| 112 | + |
| 113 | +iron@CSE:FlashStack$ . ./runtime.sh |
| 114 | + |
| 115 | +iron@CSE:nginx-1.18.0$ CC="spa-clang -O3" ./configure --prefix=$(pwd)/bin |
| 116 | + |
| 117 | +iron@CSE:nginx-1.18.0$ make -j4 2>&1 | tee ~/nginx.build.txt |
| 118 | + |
| 119 | +iron@CSE:nginx-1.18.0$ cat ~/nginx.build.txt | grep "###SPA_FUNCNAME###" | awk '{printf $2"\n"}' | uniq | sort > /home/iron/nginx.funcnames.txt |
| 120 | +``` |
| 121 | +##### (b) Instrument direct/indirect calls |
| 122 | + |
| 123 | +Once we get the names of the protected functions, we can reuse these names and rebuild Nginx to protect its calls from TOCTTOU attacks. |
| 124 | + |
| 125 | +```sh |
| 126 | +iron@CSE:~$ cd github/FlashStack/ |
| 127 | +iron@CSE:FlashStack$ . ./runtime.sh |
| 128 | + |
| 129 | +# Change to the directory of nginx-1.18.0 (please download it by yourself) |
| 130 | + |
| 131 | +iron@CSE:nginx-1.18.0$ export __SPA_PROTECTED_FUNCS_PATH=/home/iron/nginx.funcnames.txt |
| 132 | +iron@CSE:nginx-1.18.0$ make clean |
| 133 | +iron@CSE:nginx-1.18.0$ make -j4 |
| 134 | + |
| 135 | +``` |
| 136 | + |
| 137 | +##### (c) Function Names for CPU2006, Firefox, HTTPD, and Nginx |
| 138 | + |
| 139 | +```sh |
| 140 | +We have provided the following files for CPU2006, Firefox79.0, httpd2.4.46 and nginx1.18 in the source code directory |
| 141 | + |
| 142 | +cpu2006.protected.funcs.txt |
| 143 | +firefox79.0.protected.funcs.txt |
| 144 | +httpd2.4.46.protected_funcs.txt |
| 145 | +nginx1.18.protected_funcs.txt |
| 146 | +``` |
| 147 | +
|
| 148 | +#### (5) How to Use FlashStack to Build Firefox79.0 |
| 149 | +
|
| 150 | +##### Open a New Terminal |
| 151 | +
|
| 152 | +```sh |
| 153 | +To build Firefox79.0, please use the two files WasmSignalHandlers.cpp and SandboxFilterUtil.cpp |
| 154 | +provided to replace the ones in the original Firefox79.0. |
| 155 | + |
| 156 | +The mozconfig is configured as follows: |
| 157 | + |
| 158 | +mk_add_options MOZ_OBJDIR=$topsrcdir/obj.flashstack |
| 159 | +mk_add_options MOZ_MAKE_FLAGS="-j4" |
| 160 | +ac_add_options --enable-application=browser |
| 161 | +ac_add_options CC="spa-clang" |
| 162 | +ac_add_options CXX="spa-clang++" |
| 163 | +ac_add_options --prefix=$topsrcdir/install.flashstack |
| 164 | +ac_add_options --disable-debug-symbols |
| 165 | + |
| 166 | +iron@CSE:~$ cd github/FlashStack/ |
| 167 | +iron@CSE:FlashStack$ . ./runtime.sh |
| 168 | +# Change to the directory of firefox-79.0 (please download it by yourself) |
| 169 | +iron@CSE:firefox-79.0$ ./mach build |
| 170 | +``` |
| 171 | +
|
| 172 | +
|
| 173 | +
|
| 174 | +## 2. How to Reuse the Prebuilt Virtual Machine |
| 175 | +
|
| 176 | +#### (1). Download and intall [VMware Workstation Player 15](https://www.vmware.com/products/workstation-player/workstation-player-evaluation.html). |
| 177 | + |
| 178 | +> The free version is available for non-commercial use. |
| 179 | +
|
| 180 | +#### (2). Download the compressed image of our virtual machine [Ubuntu18.04.vmx](https://drive.google.com/file/d/1H1BmYNbAP08QyD_Worm4RXLqWE_DnHLt/view) and uncompress it. |
| 181 | +
|
| 182 | +> FlashStack.7z |
| 183 | +
|
| 184 | +#### (3). Use VMware Workstation Player 15 to open the uncompressed virtual machine Ubuntu18.04.vmx. |
| 185 | +
|
| 186 | +> The **password** to login is **123456** |
| 187 | +
|
| 188 | +
|
| 189 | +#### (4). Follow the steps in Prebuilt.txt |
| 190 | +
|
| 191 | +
|
0 commit comments