[llvm-dev] Finding all pointers to functions

John Criswell via llvm-dev llvm-dev at lists.llvm.org
Wed Dec 23 10:26:16 PST 2015 

On 12/23/15 12:55 PM, Russell Wallace wrote:
> On Wed, Dec 23, 2015 at 5:35 PM, John Criswell <jtcriswel at gmail.com 
> <mailto:jtcriswel at gmail.com>> wrote:
>
>     DSA was built when LLVM's optimizations maintained the type
>     information on GEP and other instructions (DSA existed before LLVM
>     was open-source).  As such, it uses LLVM's type information to aid
>     in its type-inference which, in turn, gives it field sensitivity
>     which, in turn, improves its accuracy.  Over time, LLVM
>     optimizations have come to modify the type information so that it
>     is just simple byte-level indexing (as opposed to
>     array-of-structure indexing).  DSA hasn't been updated to handle
>     that well.  That is why its precision is better pre-optimization
>     than post-optimization.
>
>
> Ah! I don't suppose you could point to some examples of this? E.g. a 
> simple test program such that one could eyeball the intermediate code 
> before and after optimization?

Off the top of my head, no, I don't have an example, but I suspect any 
program with an array indexing operation with a for loop will do.

>
>     Just out of curiosity, what are you trying to do?  I need call
>     graph analysis for C/C++ code with function pointers, and so I'm
>     writing an NSF proposal to seek funding to do that (among other
>     enhancements to my SVA infrastructure).  If it's something that
>     would be useful to you (or other LLVM community members), it would
>     be useful for me to know that.
>
>
> SVA?

Sorry.  SVA is Secure Virtual Architecture.  It's my LLVM-based 
infrastructure for controlling operating system kernel behavior via 
compiler instrumentation and hardware configuration.  I've used it to 
build a system that protects applications from a compromised operating 
system kernel as well as to enforce memory safety and control-flow 
integrity on operating system kernel code.

I need DSA for doing things like:

1) Creating an accurate call graph for kernel code to enforce better 
control-flow integrity and to test our future infrastructure for 
measuring the efficacy of defenses against code reuse attacks.

2) Analyzing the memory accesses of kernel modules to see if they modify 
kernel data structures that they should not modify (e.g., to find 
rootkits that modify the process list).

3) For optimizing run-time checks that protect kernel data structure, at 
run-time, from other kernel components (useful for a number of things).

In short, strong points-to and call graph analysis enable some 
interesting research projects.

>
> I'm trying to write a superoptimizer that can optimize code based on a 
> high-level understanding of what it's actually doing, so yes, call 
> graph analysis that can deal with function pointers does seem likely 
> to be one of the things that will be needed.

Nice.

One thing you might want to investigate is whether building a call graph 
analysis off of the TBAA metadata would work.  If TBAA works for lots of 
programs (I hear some non-conformant programs cause it problems), then 
using it as a springboard for analysis may be effective (as TBAA is 
already well maintained in the LLVM source tree).

Regards,

John Criswell

-- 
John Criswell
Assistant Professor
Department of Computer Science, University of Rochester
http://www.cs.rochester.edu/u/criswell

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20151223/b7fdd5fb/attachment.html>

More information about the llvm-dev mailing list