Fedora 45 could get Shadow Stack support to prevent ROP attacks

Fedora 45 could be more secure than its predecessor if a change proposal under consideration gets adopted. Those behind the popular Linux distribution are thinking about enabling x86_64 Shadow Stack usage by default to help prevent return-oriented programming (ROP) attacks when using modern Intel or AMD hardware.

As a bit of background, Shadow Stack is a hardware-assisted security feature that helps to prevent return-oriented programming (ROP) attacks and other control flow hijacking exploits. The feature creates a separate, hidden stack that stores copies of return addresses that the CPU can verify to ensure the actual return address matches the shadow copy when a function returns.

According to the Fedora Wiki, most packages that are built with Fedora’s default settings already produce executables that are compatible with Shadow Stack. This means no action will be needed to benefit from this feature if it goes ahead. Packages with hand-written assembly or built with different flags might ship ELF objects without Shadow Stack markup. Maintainers of these packages will need to make changes to include Shadow Stack markup.

The Shadow Stack protection will be enabled on applications and libraries built using gcc (C, C++), clang (C, C++), and rustc (Rust) by default on x86_64 machines that support it and are running Fedora 45. Those without the suitable hardware won’t be detrimentally impacted; they just won’t run with Shadow Stack.

Shadow Stack hardware support is available on Intel 11th Generation and newer CPUs, and AMD Zen3 and newer CPUs. To learn more, check out the Shadow Stack page on the Fedora Wiki.

Via: Phoronix

Report a problem with article
Next Article

You can now sign into Microsoft Edge with a Google account

Previous Article

FBI seizes NetNut domain with Google's help after links found to Popa botnet