<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 7/11/2018 4:02 AM, Chandler Carruth
via llvm-dev wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAGCO0Kjst2Ope31kQXV_k=Cqw0CbSfd4VXTvY=XWAmEFc22dmg@mail.gmail.com">
<div dir="ltr">
<div>
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">
<div>I believe this approach has the advantage that:<br>
</div>
<div>a) it makes it possible to only insert a mitigation
in specific locations if</div>
<div> the programmer is capable of inserting
intrinsics manually.</div>
</div>
</blockquote>
<div><br>
</div>
<div>This is definitely an area of great interest long-term.</div>
</div>
</div>
</div>
</blockquote>
<br>
Annotating specific loads that need to be protected seems like a
trap to me. See <a class="moz-txt-link-freetext" href="https://reviews.llvm.org/D41761#989799">https://reviews.llvm.org/D41761#989799</a> . (And
Bounds Check Bypass Store variants open up other possibilities, like
overwriting a spill slot.)<br>
<br>
Maybe we can come up with some workable approach to "whitelist"
certain pointers: a pointer could be marked
"speculatively-dereferenceable(N)" if it points to N bytes of
non-secret data. (We could apply this as load metadata, like
!dereferenceable, or it could be explicitly applied using an
intrinsic.)<br>
<br>
-Eli<br>
<pre class="moz-signature" cols="72">--
Employee of Qualcomm Innovation Center, Inc.
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a Linux Foundation Collaborative Project</pre>
</body>
</html>