AD5024: EnableStackClashProtectionMachO¶
Summary¶
| Property | Value |
|---|---|
| ID | AD5024 |
| Name | EnableStackClashProtectionMachO |
| Category | Security |
| Severity | Warning |
| Applies to | Mach-O (macOS, iOS) |
Description¶
Mach-O binaries should enable stack clash protection to prevent stack clash attacks that bypass guard pages.
How It Works¶
The rule checks for stack probing patterns:
- Stack allocation probes
- Compiler flag indicators
- Guard page interaction patterns
Why This Matters¶
Stack clash attacks can bypass the guard page by making large allocations that jump over it.
The Stack Clash Attack¶
Normal growth:
[Guard Page] ← Touched on overflow
[Stack]
Stack clash:
[Guard Page] ← Jumped over!
[Large Alloc]
[Other Memory] ← Corrupted
macOS Stack Layout¶
| Region | Purpose |
|---|---|
| Stack | Thread stack |
| Guard page | 1 page (4KB/16KB) protection |
| Heap/Other | Adjacent memory |
Protection Mechanism¶
With -fstack-clash-protection:
Large allocation request:
Probe page 1 → touch guard if present
Allocate 4KB
Probe page 2 → touch guard if present
Allocate 4KB
... repeat ...
Clang Support¶
| Flag | Support |
|---|---|
-fstack-clash-protection |
Clang 11+ |
| Apple Clang | Check version |
Performance Considerations¶
Stack clash protection has minimal overhead on macOS:
| Scenario | Overhead |
|---|---|
| Normal allocations | Negligible |
| Large stack frames (>16KB) | Small probe cost |
| Typical applications | <1% |
macOS-specific notes: - Page size is 16KB on Apple Silicon (vs 4KB on Intel) - Fewer probes needed for same allocation size - Overall overhead is typically lower than Linux
Trade-offs: - VLA-heavy code may see 2-5% overhead - Recursive algorithms with large frames are most affected - Compute-bound code sees negligible impact
Resolution¶
Enable stack clash protection:
CMake Configuration¶
Xcode Settings¶
Add to "Other C Flags":