[cfe-dev] [llvm-dev] [RFC] Zeroing Caller Saved Regs

[Stephen Checkoway via cfe-dev]

> On Aug 12, 2020, at 17:44, Bill Wendling via llvm-dev <llvm-dev at lists.llvm.org> wrote:
> 
> My guess is that inserting zeroing instructions right before the "ret"
> instruction can disable some of the hacks we see with ROP:
> 
>   `pop rdi ; ret` becomes `pop rdi ; xor rdi, rdi ; ret`

Three comments on this.
1. The very first ROP paper [1] used only unintended instruction sequences. That is, none of the return instructions were placed there by the compiler, they appeared completely within other instructions.
2. ROP doesn't require any return instructions [2]. It can be performed using call or jmp instructions.
3. As binaries get larger, the number of available instruction sequences from which one can build gadgets increases dramatically. If the goal is to make one system call like mprotect, you don't need very many at all. If want to get arbitrary computation using ROP and something like mprotect doesn't exist (e.g., on a Harvard architecture machine), you only need a few tens of kilobytes of code. I did it on the Z80 with 16 kB of code with a hardware interlock that forced instructions to be fetched from ROM [3].

There have been a bunch of defenses that purport to make attacks harder by decreasing the number of useful instruction sequences available to the attacker. They don't have a significant impact on attacks.

That's not to say that this couldn't be useful, but I'm skeptical it would defend against ROP, or even make a ROP attack much more difficult.

1. https://hovav.net/ucsd/dist/geometry.pdf
2. https://checkoway.net/papers/noret_ccs2010/noret_ccs2010.pdf
3. https://checkoway.net/papers/evt2009/evt2009.pdf

-- 
Stephen Checkoway