Claims:1. A processor comprising:
a plurality of registers to store a plurality of shadow stack pointers (SSPs), each SSP associated with a different event priority;
event processing circuitry to select a first SSP of the plurality of SSPs from a first register of the plurality of registers responsive to receipt of a first event associated with a first event priority level, the first SSP usable to identify a top of a first shadow stack;
verification and utilization checking circuitry to determine whether the first SSP has been previously verified,
wherein if the first SSP has not been previously verified then initiating a set of atomic operations to verify the first SSP and confirm that the first SSP is not in use, the set of atomic operations using a locking operation to lock data until the set of atomic operations are complete, and
wherein if the first SSP has been previously verified, then re-verifying the first SSP and confirming that the first SSP is not in use without using the locking operation.
, Description:BACKGROUND
Field of the Invention
[0001] The embodiments of the invention relate generally to the field of computer processors. More particularly, the embodiments relate to an apparatus and method to efficiently manage and process shadow stacks.
Description of the Related Art
[0002] Return-oriented programming (ROP) exploits are an increasingly common form of malicious software (malware) that may circumvent certain defenses that mark locations of memory as non-executable. An ROP exploit works by stringing together a large number of existing segments of executable code that each end with a “return” instruction (known as gadgets). Each ROP gadget is typically short, and typically does not correspond to an existing procedure or even an existing instruction boundary in the executable code. The attacker constructs a malicious stack including a series of return addresses pointing to the desired sequence of gadgets. The ROP exploit is performed by causing the processor of the computer to execute software using the malicious stack instead of the legitimate system stack. For example, the malicious stack may be introduced by smashing the stack, using a buffer overflow exploit, pivoting to a new stack, or otherwise corrupting the system stack.

[0003] Certain ROP exploits may be prevented by maintaining a “shadow stack” in parallel with the ordinary system stack (also called the “legacy stack”). The shadow stack maintains a copy of the legacy stack in memory inaccessible to ordinary software, and may be used to determine if the legacy stack has been tampered with by malware. The shadow stack may be implemented using binary instrumentation, which introduces a significant performance slowdown for some usages.

[0004] Other measures are available to help prevent ROP exploits. For example, “canary” values may be inserted near return addresses in the stack, and may be monitored for changes. As another example, “control transfer terminating instructions” may be inserted into binaries to specifically identify legitimate return targets. However such measures may require recompiling or otherwise modifying guest software. Additionally, certain processor architectures may provide a call stack that is inaccessible to certain software. For example, certain microcontrollers may maintain a call stack that is inaccessible to software. As another example, certain processor architectures may maintain call stack information in a separate memory region from other stack values such as automatic variables.

BRIEF DESCRIPTION OF THE DRAWINGS
[0005] A better understanding of the present invention can be obtained from the following detailed description in conjunction with the following drawings, in which:
[0006] FIGS. 1A and 1B are block diagrams illustrating a generic vector friendly instruction format and instruction templates thereof according to embodiments of the invention;
[0007] FIGS. 2A-C are block diagrams illustrating an exemplary VEX instruction format according to embodiments of the invention;
[0008] FIG. 3 is a block diagram of a register architecture according to one embodiment of the invention; and
[0009] FIG. 4A is a block diagram illustrating both an exemplary in-order fetch, decode, retire pipeline and an exemplary register renaming, out-of-order issue/execution pipeline according to embodiments of the invention;
[0010] FIG. 4B is a block diagram illustrating both an exemplary embodiment of an in-order fetch, decode, retire core and an exemplary register renaming, out-of-order issue/execution architecture core to be included in a processor according to embodiments of the invention;
[0011] FIG. 5A is a block diagram of a single processor core, along with its connection to an on-die interconnect network;
[0012] FIG. 5B illustrates an expanded view of part of the processor core in FIG 5A according to embodiments of the invention;
[0013] FIG. 6 is a block diagram of a single core processor and a multicore processor with integrated memory controller and graphics according to embodiments of the invention;
[0014] FIG. 7 illustrates a block diagram of a system in accordance with one embodiment of the present invention;
[0015] FIG. 8 illustrates a block diagram of a second system in accordance with an embodiment of the present invention;
[0016] FIG. 9 illustrates a block diagram of a third system in accordance with an embodiment of the present invention;
[0017] FIG. 10 illustrates a block diagram of a system on a chip (SoC) in accordance with an embodiment of the present invention;
[0018] FIG. 11 illustrates a block diagram contrasting the use of a software instruction converter to convert binary instructions in a source instruction set to binary instructions in a target instruction set according to embodiments of the invention;
[0019] FIG. 12 illustrates a processing device with shadow stacks in accordance with one embodiment;
[0020] FIG. 13 illustrates shadow stack pointer management in accordance with one embodiment;
[0021] FIG. 14 illustrates one embodiment which processes SSPs based on interrupts;
[0022] FIG. 15 illustrates additional details associated with shadow stack pointer management in accordance with one embodiment;
[0023] FIG. 16 illustrates an embodiment in which an SSP is selected and verified using atomic or non-atomic operations;
[0024] FIG. 17 illustrates one embodiment of a verification/validation operation;
[0025] FIG. 18 illustrates a method in accordance with one embodiment of the invention; and
[0026] FIG. 19 illustrates additional details of a method for selecting between atomic and non-atomic verification and busy checking operations.

DETAILED DESCRIPTION
[0027] In the following description, for the purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the invention described below. It will be apparent, however, to one skilled in the art that the embodiments of the invention may be practiced without some of these specific details. In other instances, well-known structures and devices are shown in block diagram form to avoid obscuring the underlying principles of the embodiments of the invention.