[llvm-dev] [RFC] Zeroing Caller Saved Regs

David Chisnall via llvm-dev llvm-dev at lists.llvm.org
Mon Aug 10 03:34:10 PDT 2020


Thanks,

On 07/08/2020 23:28, Kees Cook wrote:
> On Fri, Aug 7, 2020 at 1:18 AM David Chisnall
> <David.Chisnall at cl.cam.ac.uk> wrote:
>> I think it would be useful for the discussion to have a clear threat model that this intends to defend against and a rough analysis of the security benefits that this is believed to bring.
> 
> I view this as being even more about a ROP defense. Dealing with spill
> slots is, IMO, a separate issue, more related to the auto-var-init
> work (though that would be stack erasure on function exit, rather than
> entry, which addresses a different set of issues). I think this thread
> from the GCC list has some good details on the ROP defense:
> 
> https://gcc.gnu.org/pipermail/gcc-patches/2020-August/551607.html

This link gives two motivations:

1. Reducing information leak (which I find unconvincing, because there's 
a lot more left on the stack than in caller-save registers).
2. Reducing ROP gadgets.

Unfortunately, for claim 2 they cite a paper that is behind a paywall, 
so I can't easily see what that's doing and I'll have to guess what the 
paper says:

Caller-save registers are intuitively useful in the first gadget in a 
ROP sequence, because the current frame will have put values into them 
(and so they are most likely to hold attacker-controlled values).  I can 
imagine quite easily a paper that shows that you break the first gadget 
in a chain with this mitigation.

It's possible that it would also significantly reduce the number of 
total gadgets if each ret is preceeded by the zeroing sequence, 
effectively denying the ability for the attacker to use these registers. 
  Unfortunately, to be able to make arbitrary calls they would just need 
one unguarded forward control-flow edge that loaded a function pointer 
and its arguments from the stack, and I can't imagine that such a gadget 
is absent from most nontrivial codebases.  I'd like to see an analysis 
of the gadgets remaining when this mitigation is used.

I don't object to adding a flag that makes the Linux kernel slower but 
if it is being advertised as a security feature then I would like to see 
some evidence that it does something other than require automated attack 
tools pick a different set of gadgets to use.

David



More information about the llvm-dev mailing list