<div dir="ltr">
<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="color:rgb(33,33,33)">Hi All,<span></span></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="color:rgb(33,33,33)"> <span></span></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="color:rgb(33,33,33)">Over the last few weeks I have
been developing an LLVM Utility pass to check a program at the IR level for
Spectre variant 1 (bounds check bypass) vulnerabilities. The pass was
initially developed for internal use. However, as it has proved to be
useful we have decided to share it with the LLVM community.<span></span></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="color:rgb(33,33,33)"> <span></span></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="color:rgb(33,33,33)">The pass currently must be
enabled with -mllvm -enable-sceptre. When it finds a vulnerability it
outputs a diagnostic of the form:<span></span></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="color:rgb(33,33,33)"> <span></span></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="color:rgb(33,33,33)">warning: spectre.c:10:10: in
function array1_load: found vulnerable load<span></span></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="color:rgb(33,33,33)">note: inlined into function foo
at: spectre.c:19:24<span></span></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="color:rgb(33,33,33)">note: bounds check with index
"index" is at: spectre.c:6:16: in function is_valid_idx<span></span></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="color:rgb(33,33,33)">note: inlined into function foo
at: spectre.c:18:6<span></span></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="color:rgb(33,33,33)"> <span></span></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="color:rgb(33,33,33)">As it runs after inlining it
must be ran at –O1 or above (recommendation is to run it at –O2). <span style="font-size:11pt;font-family:"Calibri",sans-serif;color:black">It's
also enabled in the LTO pipeline so can detect cases of cross module inlining
with -flto.</span>
<span></span></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="color:rgb(33,33,33)"> </span></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif">The code is on phabricator:</p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><br></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><a href="https://reviews.llvm.org/D43643">https://reviews.llvm.org/D43643</a></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><br></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="color:rgb(33,33,33)"><span></span></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="color:rgb(33,33,33)">Paul Kocher (one of the
researchers who wrote the Spectre paper) recently had a look at Microsoft’s
/Qspectre flag:<span></span></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="color:rgb(33,33,33)"> <span></span></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="color:rgb(33,33,33)"><a href="https://www.paulkocher.com/doc/MicrosoftCompilerSpectreMitigation.html" style="color:rgb(5,99,193);text-decoration:underline">https://www.paulkocher.com/doc/MicrosoftCompilerSpectreMitigation.html</a><span></span></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="color:rgb(33,33,33)"> <span></span></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="color:rgb(33,33,33)">Out of 15 examples Microsoft’s
compiler was able to detect 2 (admittedly some of the examples are very hard to
detect without huge numbers of false positives). The Sceptre detector in
its current form detects 9/15 (one of the examples leaks the value, and is
detected with –sceptre-show-call-escapes, and another is detected with
–sceptre-find-second-load=false).<span></span></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="color:rgb(33,33,33)"> <span></span></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="color:rgb(33,33,33)">The pass is still under
development. However, as mentioned earlier even in its current form it
has proved to be useful. Comments welcome.<span></span></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="color:rgb(33,33,33)"> <span></span></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="color:rgb(33,33,33)">Thanks,<span></span></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="color:rgb(33,33,33)">Rob.<span></span></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif"><span style="color:rgb(33,33,33)"> </span></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:"Calibri",sans-serif">
</p><div id="gmail-:bw.ma" class="gmail-Mu gmail-SP"><span id="gmail-:bw.co" class="gmail-tL8wMe gmail-EMoHub" style="text-align:left" dir="ltr">--</span></div><div id="gmail-:bx.ma" class="gmail-Mu gmail-SP"><div id="gmail-:bx.at" class="gmail-xH"></div><span id="gmail-:bx.co" class="gmail-tL8wMe gmail-EMoHub" style="text-align:left" dir="ltr">Robert Lougher</span></div><div id="gmail-:by.ma" class="gmail-Mu gmail-SP"><div id="gmail-:by.at" class="gmail-xH"></div><span id="gmail-:by.co" class="gmail-tL8wMe gmail-EMoHub" style="text-align:left" dir="ltr"> Sony
Interactive Entertainment </span></div>
<br><span style="color:rgb(33,33,33)"><span></span></span><p></p>
<br></div>