[cfe-dev] Fwd: Re: clang dataflow sanitizer vs. shared objects

Bhargava Shastry bshastry at sec.t-labs.tu-berlin.de
Mon Feb 23 07:57:47 PST 2015 

Hi,

Resending because the forwarded email likely got filtered out because of
the attachment.

Regards,
Bhargava


-------- Forwarded Message --------
Subject: 	Re: [cfe-dev] clang dataflow sanitizer vs. shared objects
Date: 	Mon, 23 Feb 2015 01:27:04 +0100
From: 	Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
To: 	cfe-dev at cs.uiuc.edu



Hello all,

Following up on this thread: Found that Peter's instructions to get
dfsan support in libcxx/libcxxabi [1] does not work on latest upstream
commits (LLVM: 1f22900; Clang: 3457cd5; compiler-rt: 7bbc72c; libcxx:
da1818a; libcxxabi: 75a7bf6).

I have attached the stack trace with diagnostics. Basically, an
assertion fails here:
> lib/Transforms/Instrumentation/DataFlowSanitizer.cpp:1404: void
> {anonymous}::DFSanVisitor::visitCallSite(llvm::CallSite): Assertion
> `!(cast<FunctionType>(
> CS.getCalledValue()->getType()->getPointerElementType())->isVarArg()
> && dyn_cast<InvokeInst>(CS.getInstruction()))' failed.

Pointers are much appreciated.

Thanks,
Bhargava

[1]: http://lists.cs.uiuc.edu/pipermail/cfe-dev/2015-January/040895.html

On 02/05/2015 05:04 PM, Christian Convey wrote:
> Yury, thanks, that's an interesting idea.
>
> Speaking only for myself, I think the ideal behavior would be the
> following, assuming there's a reasonable way to implement it:
>
> (1) Libraries (both static and dynamic) provide both a normal and
> dfs-enabled version of each exported function.
>
> (2) The compiler and linker work together so that a function call site
> calls the dfs-enabled version of the target function if and only if
> the caller was also compiled with dfs.
>
> I realize this is non-trivial for a few reasons, I'm just thinking
> about what my ideal endpoint would be.
>
> On Thu, Feb 5, 2015 at 12:37 AM, Yury Gribov <y.gribov at samsung.com
> <mailto:y.gribov at samsung.com>> wrote:
>
>     On 02/05/2015 01:23 AM, Peter Collingbourne wrote:
>
>         On Wed, Feb 04, 2015 at 02:56:03PM -0500, Christian Convey wrote:
>
>             Hi guys,
>
>             I'm running into some pain with dataflow sanitizer, and
>             I'm wondering
>             anyone's found a good work-around.
>
>             I'm trying to analyze a code base which delegates a lot of
>             functionality to
>             shared objects.  The application looks up functions within
>             the .so using
>             hard-coded function names.  For example, "dlsym(..., "foo" );"
>
>             Unfortunately for me, the dataflow sanitizer prepends
>             "dfsw$" to the name
>             of any function compiled with the dataflow sanitizer
>             enabled.  So if
>             function "foo" was compiled with the sanitizer enabled,
>             I'd need to change
>             these dlsym invocations to something like "dlsym(...,
>             "dfsw$foo");"
>
>             For now, I'm just black-listing ( via -fsanitize-blacklist
>             ) every function
>             that's exported by one of the application's shared
>             objects.  This addresses
>             the symbol lookup problem, but it means my dataflow labels
>             are lost on data
>             transmitted through these black-listed functions.
>
>             Does anyone know of a good workaround to this problem,
>             and/or what a
>             longer-term solution might look like?
>
>
>         I'm not aware of a good solution to this problem at the
>         moment. One possibility
>         is to write a custom wrapper for the dlsym function that tries
>         the symbol
>         name both with and without the "dfs$" prefix, but this would
>         potentially
>         allow uninstrumented function pointers to leak into the program.
>
>
>     Using --defsym to create aliases during linking is another option.
>     Perhaps DFSan should do this itself?
>
>     -Y
>
>
>
>
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev

-- 
Learn more about COSADE 2015, the 6th Conference on
Constructive Side Channel Analysis and Secure Design
http://www.cosade.org

Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
Security in Telecommunications
TU Berlin / Telekom Innovation Laboratories
Ernst-Reuter-Platz 7, Sekr TEL 17 / D - 10587 Berlin, Germany
phone: +49 30 8353 58235



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20150223/c8851a32/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20150223/c8851a32/attachment.sig>

More information about the cfe-dev mailing list