SafeStack, a new compiler feature currently only available in clang and underway for GCC, protects return addresses on the stack from being overwritten through memory vulnerabilities. SafeStack (-fsanitize=safe-stack) is intended to replace the stack cookies (-fstack-protector). It separates the data and the return addresses on the original stack, and puts the former in the unsafe stack and the latter in the safe stack. We investigate the implementation of the safe stack to see if there are still ways to get to it and overwrite the return addresses.
by Aggelos Oikonomopoulos, Benjamin Kollenda, Cristiano Giuffrida, Elias Athanasopoulos, Enes Goktas, Georgios Portokalidis, Herbert Bos, and Robert Gawlik
Full Abstract: https://www.blackhat.com/eu-16/briefings/schedule/#bypassing-clangs-safestack-for-fun-and-profit-4965