[LLVMdev] Adding diversity for security (and testing)

Stephen Crane sjcrane at uci.edu
Mon Aug 26 11:39:26 PDT 2013 

Greetings LLVM Devs!

I am a PhD student in the Secure Systems and Software Lab at UC
Irvine. We have been working on adding randomness into code generation
to create a diverse population of binaries. This diversity prevents
code-reuse attacks such as return-oriented-programming (ROP) by
denying the attacker information about the exact code layout. ROP has
been used is several high-profile recent attacks, and has also been
used as a jailbreaking avenue. We believe our transformations would
provide a significant security benefit for LLVM users who choose to
use diversity. For more details see [1] (although we are currently
proposing to upstream only a simplified subset of our work).

We would like to contribute some of our work back to the community,
and are preparing a small patch adding two new features: NOP insertion
and schedule randomization. The NOP insertion pass randomly adds NOPs
after each MachineInstr according to a command-line
parameter. Currently NOP insertion is implemented for X86, and we are
adding support for ARM. The schedule randomizer randomly picks a valid
instruction to schedule at every point, bypassing the scheduling
heuristics. These passes result in a binary which, while slightly
slower, is far more secure against code-reuse attacks. In addition,
schedule randomization may be useful for randomized compiler and
micro-architecture testing.

We would also include a secure random number generator which links
against OpenSSL. This would of course be an optional module disabled
by default, but is necessary so the randomization is cryptographically
secure and useful in security applications.

We are in the process of writing test cases and double checking
formatting to produce a useful patch, but would like to solicit
feedback on our proposed changes before submitting patches for
detailed consideration.

Thanks,
Stephen Crane
Secure Systems and Software Lab
UC Irvine


[1] A. Homescu, S. Neisius, P. Larsen, S. Brunthaler, and M. Franz;
“Profile-guided Automated Software Diversity,” in 2013 International
Symposium on Code Generation and Optimization (CGO 2013), Shenzhen,
China; February 2013.

More information about the llvm-dev mailing list