[PATCH] D41879: [X86] Added support for nocf_check attribute for indirect Branch Tracking
Oren Ben Simhon via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Tue Jan 9 12:40:21 PST 2018
oren_ben_simhon created this revision.
oren_ben_simhon added reviewers: craig.topper, AndreiGrischenko, aaboud, gadi.haber, DavidKreitzer.
Herald added subscribers: javed.absar, mehdi_amini.
Jump Oriented Programming attacks rely on tampering addresses used by indirect call / jmp, e.g. redirect control-flow to non-programmer intended bytes in binary.
X86 Supports Indirect Branch Tracking (IBT) as part of Control-Flow Enforcement Technology (CET).
IBT instruments ENDBR instructions used to specify valid targets of indirect call / jmp.
The ``nocf_check`` attribute has two roles in the context of X86 IBT technology:
1. Appertains to a function - do not add ENDBR instruction at the beginning of the function.
2. Appertains to a function pointer - do not track the target function of this pointer by adding nocf_check prefix to the indirect-call instruction.
When the CPU decodes ``nocf_check`` prefix, it will not update IBT state machine, hence, the target addresses of the following indirect jump will not be tracked.
So in that case there is no need for ENDBR instructions.
The patch implements ``nocf_check`` context for Indirect Branch Tracking. It also auto generates ``nocf_check`` prefixes before indirect branchs to jump tables that are guarded by range checks.
Those cases are common in switch-case statements and it is safe to optimize them.
Meaning instead of adding many ENDBR instructions for each target address of a ``case`` statement, we add a single``nocf_check`` prefix before the indirect jump of the ``switch`` statement.
Repository:
rL LLVM
https://reviews.llvm.org/D41879
Files:
include/llvm/Bitcode/LLVMBitCodes.h
include/llvm/CodeGen/TargetLowering.h
include/llvm/IR/Attributes.td
include/llvm/IR/Function.h
include/llvm/IR/Instructions.h
lib/AsmParser/LLLexer.cpp
lib/AsmParser/LLParser.cpp
lib/AsmParser/LLToken.h
lib/Bitcode/Reader/BitcodeReader.cpp
lib/Bitcode/Writer/BitcodeWriter.cpp
lib/CodeGen/SelectionDAG/LegalizeDAG.cpp
lib/IR/Attributes.cpp
lib/IR/Verifier.cpp
lib/Target/X86/X86FastISel.cpp
lib/Target/X86/X86ISelLowering.cpp
lib/Target/X86/X86ISelLowering.h
lib/Target/X86/X86IndirectBranchTracking.cpp
lib/Target/X86/X86InstrInfo.td
lib/Target/X86/X86InstrSystem.td
lib/Transforms/IPO/ForceFunctionAttrs.cpp
test/CodeGen/X86/indirect-branch-tracking.ll
test/CodeGen/X86/nocf_check.ll
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D41879.129146.patch
Type: text/x-patch
Size: 24801 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20180109/5a52425d/attachment.bin>
More information about the llvm-commits
mailing list