[cfe-dev] Zero'ing Registers on Function Return

[David Chisnall]

On 16 Sep 2014, at 05:58, Russell Harmon <eatnumber1 at google.com> wrote:

> How do you handle the calling of non-zero-on-return functions from within a zero-on-return function?

Currently, clang emits a warning when a function with __attribute__((sensitive)) calls one without.  I have some stashed changes that try to ensure that all callee-save registers that are touched before a call are spilled to the stack and zero'd before the call, but it's probably not worth finishing it.  __attribute__((sensitive__)) also has to imply __attribute__((noinline)) (or the sensitive attribute be propogated into all callers where it's inlined), or there's the potential for information leaks.

> How much of that work do you think is applicable to other architectures? I'm interested in working on an implementation that (starting with x86) will work across platforms.

Only the front-end changes really.  Most of the work is in the back end, which has to identify which registers are live, which stack slots are used, and zero them.

> If you plan on revisiting your work on it though and trying to get it committed upstream, I won't intrude.

Now that Colin has blogged about it and there's been a lot of public discussion, it's probably much more difficult to get it published, which reduces my motivation to finish it a bit.  I will probably try to find an interested student to work on it this term, but I'm happy to collaborate on the security evaluation if someone else wants to take the lead on doing a proper implementation.

For our architecture, it's a bit more important because our capability registers contain rights to memory (rather than just data) and these don't want to accidentally end up on the stack where an uninitialised variable in a later function might now suddenly grant the rights to access a chunk of memory (rather than trapping if you try to use it as a pointer).

David