[PATCH] D58102: Support X86 Control-flow Enforcement Technology (CET) in LLD

Xiang Zhang via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Mon Feb 11 22:32:04 PST 2019 

xiangzhangllvm created this revision.
xiangzhangllvm added reviewers: hjl.tools, LuoYuanke, craig.topper, vzakhari, annita.zhang, smaslov, espindola, ruiu, grimar.
xiangzhangllvm added a project: lld.
Herald added subscribers: llvm-commits, jdoerfert, MaskRay, arichardson, emaste.
Herald added a project: LLVM.

  Control-flow Enforcement Technology (CET)

provides the following capabilities to defend against ROP/JOP style control-flow subversion attacks:

  Shadow Stack (SHSTK) – return address protection to defend against Return Oriented Programming,

A shadow stack is a second stack for the program that is used exclusively for control transfer operations. 
This stack is separate from the data stack and can be enabled for operation individually in user mode or supervisor mode.
When shadow stacks are enabled, the CALL instruction pushes the return address on both the data and shadow stack. 
The RET instruction pops the return address from both stacks and compares them. 
If the return addresses from the two stacks do not match, the processor signals a control protection exception (#CP).

  Indirect branch tracking (IBT) – free branch protection to defend against Jump/Call Oriented Programming.

The ENDBRANCH is a new instruction that is used to mark valid indirect call/jump targets in the program.
This instruction opcode is selected to be one that is a NOP on legacy machines such that programs compiled with ENDBRANCH new instruction continue to function on old machines without the CET enforcement.
On processors that support CET the ENDBRANCH is still a NOP and is primarily used as a marker instruction by the in-order part of the processor pipeline to detect control flow violations.
The CPU implements a state machine that tracks indirect jump and call instructions. When one of these instructions is seen, the state machine moves from IDLE to WAIT_FOR_ENDBRANCH state.
In WAIT_FOR_ENDBRANCH state the next instruction in the program stream must be an ENDBRANCH.
If an ENDBRANCH is not seen the processor causes a control protection fault else the state machine moves back to IDLE state.

  Work flow of CET:

A CET supported executable file will contain the CET flags in its .note.gnu.property section.
(The flags of SHSTK or IBT will be set at the GNU_PROPERTY_X86_FEATURE_1_AND property in .note.gnu.property section if the CET is enabled.)
When run the executable file, CET-enabled OS will check these flags in the related segment, and run the feature accordingly on supported hardware.
If it run on unsupported machines, These CET flags or ENDBRANCH will be ignore.

  The key implement of the feature in LLD:

LLD will first check if all the relocatable object files contain the .note.gnu.property section and if there is GNU_PROPERTY_X86_FEATURE_1_AND property in this section.
If it finds the GNU_PROPERTY_X86_FEATURE_1_AND property in all the relocatable object files,
it will handle the flags in these properties and sections, create the resulting .note.gnu.property section in output file if necessary.
Because the IBT feature needs to insert an endbr* instruction at the end of indirect jump, LLD also deals with the lazy binding by adding a second PLT called SPLT.


Repository:
  rLLD LLVM Linker

https://reviews.llvm.org/D58102

Files:
  ELF/Arch/X86.cpp
  ELF/Arch/X86_64.cpp
  ELF/Config.h
  ELF/Driver.cpp
  ELF/Driver.h
  ELF/InputSection.cpp
  ELF/InputSection.h
  ELF/Relocations.cpp
  ELF/Symbols.cpp
  ELF/Symbols.h
  ELF/SyntheticSections.cpp
  ELF/SyntheticSections.h
  ELF/Target.h
  ELF/Writer.cpp
  test/ELF/Inputs/i386-feature-1-and0.s
  test/ELF/Inputs/i386-feature-1-and1.s
  test/ELF/Inputs/i386-feature-1-and1x.s
  test/ELF/Inputs/i386-feature-1-and2.s
  test/ELF/Inputs/i386-feature-1-and2s.s
  test/ELF/Inputs/x86-64-feature-1-and0.s
  test/ELF/Inputs/x86-64-feature-1-and1.s
  test/ELF/Inputs/x86-64-feature-1-and1x.s
  test/ELF/Inputs/x86-64-feature-1-and2.s
  test/ELF/Inputs/x86-64-feature-1-and2s.s
  test/ELF/i386-feature-1-and.s
  test/ELF/x86-64-feature-1-and.s

-------------- next part --------------
A non-text attachment was scrubbed...
Name: D58102.186402.patch
Type: text/x-patch
Size: 49323 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20190212/f4eebd0a/attachment.bin>

More information about the llvm-commits mailing list