[PATCH] Insert random noops to increase security against ROP attacks (llvm)

JF Bastien jfb at chromium.org
Mon Jan 5 20:05:11 PST 2015


>
> check this out:
> http://users.ece.cmu.edu/~ejschwar/bib/schwartz_2011_rop-abstract.html
>
> tl;dr: a minimal executable (from 20kB on) likely provides enough gadgets,
> real life
> executables and libraries (think glibc, apache, firefox, etc) have more
> than enough.
>
> > but something that I found interesting in
> https://www.ics.uci.edu/~ahomescu/multicompiler_cgo13.pdf
> > is how figure 2 shows that inserting a nop between instructions reduce
> the possibility of finding
> > gadgets on x86 because of the variable-length encoding.
>
> this is only true for gadgets that are composed of unintended byte
> sequences (i.e,
> where the redirected control flow jumps into the middle of intended insns)
> and only
> if such sequences cross intended insn boundaries. as you can see in the
> paper, there's
> no case where gadgets are eliminated altogether, only their numbers are
> reduced and
> that means that blind ROP will work against these binaries.


Sorry, I'm kind of lost as to what you're arguing for/against. Could we
back up a bit?

Do you think nop insertion is a poor mitigation on its own? Or do you think
it's not useful even when combined with other mitigations?

I'm also not clear on what kind of attack you're making assertions for:
LLVM is used in many different situations, and adding tools such as this
may be thoroughly useless in some situations and really useful in others.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20150105/b12ed94e/attachment.html>


More information about the llvm-commits mailing list