[PATCH] Adding diversity for security
Daniel Berlin
dberlin at dberlin.org
Fri Jan 24 10:58:10 PST 2014
On Thu, Jan 23, 2014 at 7:07 PM, Alp Toker <alp at nuanti.com> wrote:
>
> On 24/01/2014 01:08, Sean Silva wrote:
>>
>> Was there ever consensus that we want to maintain this in LLVM? I just
>> looked back at the original thread on llvmdev, and it looked like basically:
>>
>> - A number of security folks having an inconclusive, wandering,
>> back-and-forth discussion about various security things that should have
>> been done on a security mailing list.
>> - Lots of "this seems maybe interesting, but ..." with the "but ..." not
>> clearly addressed in any way. Often times the "but ..." was an alternative
>> approach that would be more maintainable, effective, and/or fit in better
>> with existing deployment processes.
>> - No concrete use cases.
>
>
> It's a killer feature for anyone who has to support copy protection
> mechanisms in commercial software.
For exactly how many seconds will that last? :)
>
> Software "cracks" are smart enough to find and patch patterns even when
> binaries change between releases, but nops and register shuffling will block
> the kind of automated "farming" organised criminals use.
>
> A feature that's so easy to deploy (just switch compiler flag every point
> release) is a valuable tool in giving the edge back to individuals and
> companies who have to earn some or all of their living through commercial
> software.
Honestly, I think you are seriously overselling it, but that's not the
main point i want to address:
>
>
>> Who is going to be deploying this? If nobody is deploying, then how do we
>> know it will be maintained? It seems like the initial patch submitter has
>> already jumped ship on this patch; doesn't exactly inspire confidence.
>
>
> Clearly the two use cases are copy protection and security through obscurity
> so genuine users aren't going to be at liberty to join an open debate here.
This I seriously disagree with. Even on the GCC mailing lists, there
were plenty of people who were copy protection folks who spoke up
about features that were going to be deprecated or added. The idea
that "there are plenty of users, but they can't speak here" seems a
bit suspect to me. Saying "this feature would be useful to us" is not
something that harms either of the sets of users you are talking
about, since it's completely and totally obvious that they are doing
it anyway. There is no obscurity at all
More information about the llvm-commits
mailing list