[PATCH] Adding diversity for security

Sean Silva silvas at purdue.edu
Thu Jan 23 19:11:17 PST 2014


On Thu, Jan 23, 2014 at 9:20 PM, Per Larsen <per.larsen at gmail.com> wrote:

> just want to add a few points to my colleague stephen's response to sean
> silva who brought up some good points.
>
> there was a discussion of the relative merits of software diversity and
> control-flow integrity (cfi). just as we are advocating diversity, some
> folks are advocating that cfi is the better way to thwart arbitrary code
> execution attacks. the bottom line is that both of these two security
> technologies are powerful and each with a distinct set of tradeoffs and
> there are situations where one is clearly more appropriate than the other.
> this might give the impression that there is no clear consensus that
> diversity is a good addition to the security toolbox. all evidence points
> to the contrary. the top security conferences have all published work on
> security. furthermore, our patch for llvm was developed as part of research
> funded by two darpa programs–crash and mrc–which includes an extensive red
> team evaluation by a large team of researchers from mit. the current
> consensus is that this patch provides substantially better protection
> against code reuse attacks than the currently deployed defenses and remains
> compatible with virtually all existing code.
>
> our funding runs through 2015 which means that we can definitely commit to
> maintain this for the next two years and possibly beyond that.
>

Hi, to clarify my concern, maintenance is about more than "our funding runs
through 2015". It's about building community trust and showing an
understanding of LLVM development practices along with a commitment to the
LLVM codebase, not just your corner of it.

Consider this scenario: this patch gets committed, but one of our buildbots
breaks. Who is going to identify the errant commit and revert the patch?
Who is going to dig into the issue and fix it? If your team hasn't
integrated itself into the community enough to understand and handle these
issues in tandem with the community, then that means that someone is going
to be taking time off of their work to handle it for you.

For integrating into the community, there is no substitute for sending
patches (start small) and getting them committed; it shouldn't take more
than a handful of quality patches to learn the ropes and show that you are
serious.


>
> i hope this helps clarify the merits of this patch.
>

To clarify: I'm not qualified to discuss the merits of this patch from a
security-researcher perspective; for all I care it could be a theoretically
optimal approach. What I'm more concerned about is "who needs this?", "will
they use it?", "does this fit into their deployment model?", "does this fit
cleanly with our software architecture?", etc. I've seen some hints at
answers to these questions (and I'm not saying that I know the answers
either!), but they really do need to be addressed in order to dislodge the
null hypothesis.

-- Sean Silva


> per
>
>
>
> On Thu, Jan 23, 2014 at 5:44 PM, Stephen Crane <sjcrane at uci.edu> wrote:
>
>> I can't really speak to the first two points besides suggesting that we
>> have working code ready to go for a useful tool to add to users' security
>> toolbox. However, this does lead to your third point... We've had off-list
>> discussions with several different people who are interested in using this,
>> assuming it fits their needs after testing, including Google and OpenBSD.
>> As for me, I'm certainly still on board with the work (and maintenance).
>> Julian, a collaborator of mine at UC Irvine, is also helping put the
>> finishing touches on the patch, and Andrei is also involved as needed since
>> he wrote a good deal of the code for this.
>>
>> Perhaps an email to the llvmdev list resurrecting the original thread
>> would be a good idea, since people were interested in seeing actual code.
>> I'll go ahead and do that so perhaps we can get more input.
>>
>> I agree, splitting the RNG would be a good idea.
>>
>> - stephen
>>
>>
>> On Thu, Jan 23, 2014 at 5:08 PM, Sean Silva <silvas at purdue.edu> wrote:
>>
>>> Was there ever consensus that we want to maintain this in LLVM? I just
>>> looked back at the original thread on llvmdev, and it looked like basically:
>>>
>>> - A number of security folks having an inconclusive, wandering,
>>> back-and-forth discussion about various security things that should have
>>> been done on a security mailing list.
>>> - Lots of "this seems maybe interesting, but ..." with the "but ..." not
>>> clearly addressed in any way. Often times the "but ..." was an alternative
>>> approach that would be more maintainable, effective, and/or fit in better
>>> with existing deployment processes.
>>> - No concrete use cases. Who is going to be deploying this? If nobody is
>>> deploying, then how do we know it will be maintained? It seems like the
>>> initial patch submitter has already jumped ship on this patch; doesn't
>>> exactly inspire confidence.
>>>
>>> It seems like basically nobody who participated in the original
>>> discussion on llvmdev is participating in this patch review either.
>>> Especially the people who had doubts don't seem to be participating; those
>>> doubts need to be addressed.
>>>
>>> Also, at the very least, adding the RNG should be split out into a
>>> separate patch.
>>>
>>> -- Sean Silva
>>>
>>>
>>> On Thu, Jan 23, 2014 at 6:08 PM, Julian Lettner <
>>> julian.lettner at gmail.com> wrote:
>>>
>>>>   Move patch forward to ToT.
>>>>
>>>> Hi rinon, ahomescu,
>>>>
>>>> http://llvm-reviews.chandlerc.com/D1802
>>>>
>>>> CHANGE SINCE LAST DIFF
>>>>   http://llvm-reviews.chandlerc.com/D1802?vs=6581&id=6621#toc
>>>>
>>>> Files:
>>>>   include/llvm/CodeGen/CommandFlags.h
>>>>   include/llvm/MC/MCRegisterInfo.h
>>>>   include/llvm/Support/RandomNumberGenerator.h
>>>>   include/llvm/Target/TargetOptions.h
>>>>   lib/CodeGen/LLVMBuild.txt
>>>>   lib/CodeGen/SelectionDAG/ScheduleDAGRRList.cpp
>>>>   lib/LTO/LTOCodeGenerator.cpp
>>>>   lib/LTO/LTOModule.cpp
>>>>   lib/Support/CMakeLists.txt
>>>>   lib/Support/RandomNumberGenerator.cpp
>>>>   lib/Target/X86/CMakeLists.txt
>>>>   lib/Target/X86/NOPInsertion.cpp
>>>>   lib/Target/X86/X86.h
>>>>   lib/Target/X86/X86TargetMachine.cpp
>>>>   test/CodeGen/X86/nop-insert-percentage.ll
>>>>   test/CodeGen/X86/nop-insert.ll
>>>>   test/CodeGen/X86/sched-rnd-test.ll
>>>>   tools/llc/llc.cpp
>>>>   tools/llvm-lto/llvm-lto.cpp
>>>>   tools/lto/lto.cpp
>>>>   tools/opt/opt.cpp
>>>>
>>>> _______________________________________________
>>>> llvm-commits mailing list
>>>> llvm-commits at cs.uiuc.edu
>>>> http://lists.cs.uiuc.edu/mailman/listinfo/llvm-commits
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20140123/fb09c177/attachment.html>


More information about the llvm-commits mailing list