Shadow Stack
What is Shadow Stack?
Shadow StackA shadow stack is a separate, protected stack that stores copies of return addresses so the CPU can detect tampering with the regular stack and block ROP attacks.
A shadow stack runs in parallel with the conventional call stack: every call pushes the return address to both stacks, and every return compares them. If they disagree, the CPU traps and the process aborts before a corrupted return is used. The mechanism was popularized in academic CFI papers and now ships in hardware as Intel CET shadow stack and Arm v8.5-A Guarded Control Stack (GCS). Software-only shadow stacks exist (e.g., LLVM SafeStack, clang -fsanitize=safe-stack) but pay a performance and memory-isolation cost. Shadow stacks complete the backward-edge half of CFI; forward-edge protection still requires CFI/IBT.
● Examples
- 01
Windows 11 enforcing user-mode shadow stacks on CET-capable CPUs.
- 02
Arm GCS catching a stack-buffer overflow that overwrites a saved LR.
● Frequently asked questions
What is Shadow Stack?
A shadow stack is a separate, protected stack that stores copies of return addresses so the CPU can detect tampering with the regular stack and block ROP attacks. It belongs to the Application Security category of cybersecurity.
What does Shadow Stack mean?
A shadow stack is a separate, protected stack that stores copies of return addresses so the CPU can detect tampering with the regular stack and block ROP attacks.
How does Shadow Stack work?
A shadow stack runs in parallel with the conventional call stack: every call pushes the return address to both stacks, and every return compares them. If they disagree, the CPU traps and the process aborts before a corrupted return is used. The mechanism was popularized in academic CFI papers and now ships in hardware as Intel CET shadow stack and Arm v8.5-A Guarded Control Stack (GCS). Software-only shadow stacks exist (e.g., LLVM SafeStack, clang -fsanitize=safe-stack) but pay a performance and memory-isolation cost. Shadow stacks complete the backward-edge half of CFI; forward-edge protection still requires CFI/IBT.
How do you defend against Shadow Stack?
Defences for Shadow Stack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Shadow Stack?
Common alternative names include: Return stack, Safe stack, GCS.
● Related terms
- appsec№ 217
Control-Flow Integrity
Control-Flow Integrity (CFI) constrains a program's indirect calls and returns to a precomputed set of legitimate targets, blocking ROP and JOP exploits that hijack control flow.
- appsec№ 545
Intel CET
Intel CET (Control-flow Enforcement Technology) is a CPU feature combining a hardware shadow stack and Indirect Branch Tracking (IBT) to block ROP, JOP and COP exploits.
- appsec№ 925
Return-Oriented Programming
Return-Oriented Programming (ROP) is a code-reuse exploit technique that chains short instruction sequences ending in RET to execute arbitrary computation without injecting new code.
- appsec№ 1095
Stack Canary
A stack canary is a secret value placed between a function's local buffers and its saved return address to detect stack buffer overflows before they hijack control flow.
- appsec№ 064
ASLR
Address Space Layout Randomization randomizes the memory locations of code, stacks, heaps, and libraries so attackers cannot reliably predict target addresses for exploits.
- appsec№ 670
Memory Safety
Memory safety is the property that a program never reads, writes, or executes memory it has not legitimately allocated, preventing entire classes of vulnerabilities.