AD2047: PeEnableShadowCallStack¶

Summary¶

Description¶

Shadow Call Stack is a security feature that protects return addresses by storing them in a separate "shadow" stack. This provides strong protection against Return-Oriented Programming (ROP) attacks that rely on overwriting return addresses on the stack.

SCS uses a dedicated register (x18 on AArch64) to point to the shadow stack, making it very efficient with minimal runtime overhead.

This rule specifically checks PE binaries (Windows executables and DLLs) built with Clang/MinGW that contain DWARF debug information.

How to Fix¶

When building Windows ARM64 binaries with Clang/MinGW, add the -fsanitize=shadow-call-stack flag:

clang --target=aarch64-pc-windows-msvc -fsanitize=shadow-call-stack -o binary.exe source.c

Or with MinGW:

aarch64-w64-mingw32-clang -fsanitize=shadow-call-stack -o binary.exe source.c

MSVC Alternative¶

For binaries built with MSVC, use Control Flow Guard (CFG) and CET Shadow Stack instead:

cl /guard:cf /CETCOMPAT source.c

See AD2025: EnableShadowStack for MSVC-specific shadow stack support.

Performance Considerations¶

Shadow Call Stack has minimal runtime overhead on AArch64:

Why SCS is efficient: - Uses a dedicated register (x18) avoiding memory lookups - Only two additional instructions per function (push/pop on shadow stack) - Shadow stack is linear, providing good cache locality

Comparison with CET Shadow Stack:

Applicability¶

This rule applies to: - ARM64 PE binaries (.exe, .dll) built with Clang/MinGW - Binaries containing DWARF debug information

This rule does not apply to: - x86/x64 PE binaries (use AD2025 EnableShadowStack for CET) - Binaries built with MSVC (use AD2025 for CET shadow stack) - Binaries without DWARF debug information

References¶

• Clang ShadowCallStack Documentation
• Windows ARM64 Development

Related Rules¶

• AD2025: EnableShadowStack - Intel CET Shadow Stack for MSVC binaries
• AD3044: EnableShadowCallStack - ELF version of this rule
• AD2039: PeEnableArmPAC - ARM Pointer Authentication