stack - 为什么不使用单独的 CODE 和 DATA 堆栈

Question

为什么处理器不为 CODE 和 DATA 提供单独的堆栈寄存器？

这几乎不可能通过用本地堆栈缓冲区溢出覆盖堆栈来改变程序的控制流，从而改变函数的原始返回地址。

当然有些语言不区分 CODE 和 DATA(对于程序员来说，概念上，但在内部他们这样做)。

Answer 1

简答

使用多个堆栈与旧软件和硬件不兼容。

详细解答

论文Defending Embedded Systems Against Control FlowAttacks (2009 年出版)建议使用多个堆栈。摘要说:

This paper presents a control flow enforcement technique based on an Instruction Based Memory Access Control (IBMAC) implemented in hardware. It is specifically designed to protect low-cost embedded systems against malicious manipulation of their control flow as well as preventing accidental stack overflows. This is achieved by using a simple hardware modification to divide the stack in a data and a control flow stack (or return stack).

您可以查看该论文以了解他们的系统是如何实现的详细信息。

关于为什么这个(或类似的)技术还没有被采用的问题，论文的介绍给出了一些提示(强调):

Given the high impact that control flow attacks had on commodity systems, many countermeasure techniques have been proposed to defend against such attacks, such as: binary randomisation [14], memory layout randomisation [20, 21], stack canaries [9], tainting of suspect data [19] enforcing pages to be writable or executable [3, 21], Control Flow Integrity enforcement [1]. However, most of those countermeasures are demanding in terms of computation capabilities, memory usage and often rely on hardware that is unavailable to simple micro-controllers such as a Memory Management Unit (MMU) or execution rings. Moreover, they mostly use software solutions as hardware modifications (for example on the IA-32 architecture) are difficult and likely to cause problems with legacy applications.

基本上，使用多个堆栈的系统与旧版硬件和/或软件不兼容。对于需要支持遗留代码的通用计算，很难进行此类更改。

相反，已经提出并实现了大量其他可能的解决方案，以帮助缓解与堆栈溢出相关的安全漏洞。