D3-SSC

Detect
Shadow Stack Comparisons

Definition

Comparing a call stack in system memory with a shadow call stack maintained by the processor to determine unauthorized shellcode activity.

How it works

This technique compares the call stack stored in system memory with the shadow call stack maintained in the cache memory of the processor. Mismatches between the two are compared since a return oriented programming attack may only be able to control or spoof the call stack and not the shadow call stack. Mismatches are counted and if the number of mismatches exceeds a certain threshold it is an indication of unauthorized activity and a security response action is performed.

Considerations

If the threshold for detecting a stack anomaly is low, it may not detect a return-oriented attack with just one gadget, such as a return-to-libc or return-to-plt attack. Additionally, this technique may not detect JOP (Jump-oriented programming), as the return instruction is not executed.

Artifact Relationships

This defensive technique relates to specific digital artifacts.

analyzes
Shadow Stack Comparisons
Stack Frame

References

Reference - Threat detection for return oriented programming - Crowdstrike Inc