<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Hi folks!<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">At some point I had read a paper (which appears to have gotten lost in my last move) regarding NOP insertion to disrupt gadgets. It identified gadgets in some lump of software, then rebuilt the software with random NOPs enabled, and proudly
pointed to X% of the previous gadgets no longer being present, or usable, or something.<o:p></o:p></p>
<p class="MsoNormal">(To my mind this is not the right question; not “were previous gadgets disrupted” but “how many gadgets are there in the rebuilt software compared to the previous version?” If it’s known that the answer is “there is still an abundance of
gadgets no matter what you do” then I’m answered, and thank you!)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I don’t know whether this would lead to any practical uses within Sony, but if we didn’t have a pass at all, there would be nothing to pursue. We had an intern on the compiler team who was also interested in security. I remembered the
NOP insertion pass that had been committed upstream but later reverted, so we gave him that pass to play with. I was casually interested in my question above, of course, but there are plenty of software bits that we distribute online rather than on disks,
so in principle there is potential for a possible use-case. I may be stating that too strongly.<o:p></o:p></p>
<p class="MsoNormal">In the end, the intern didn’t quite get it working well enough, and I’ve had too many other things going on to want to pick it up myself.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">So that’s where things stand today: one of those spare-time things that might be worth real resources someday.<o:p></o:p></p>
<p class="MsoNormal">And thanks for the pointer to the multicompiler project!<o:p></o:p></p>
<p class="MsoNormal">--paulr<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Per Larsen <perl@immunant.com> <br>
<b>Sent:</b> Thursday, November 21, 2019 7:26 PM<br>
<b>To:</b> Stephen Checkoway <s@pahtak.org><br>
<b>Cc:</b> Robinson, Paul <paul.robinson@sony.com>; llvm-dev@lists.llvm.org<br>
<b>Subject:</b> Re: [llvm-dev] Random nop insertion pass<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Hi all,<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">To elaborate on what Stephen said, compile-time nop insertion is only effective if the adversary and victim have different versions of the same binary. This obviously creates difficulties w.r.t. binary distribution and subsequent updates*.
That said, my colleagues and I at UCI did attempt to upstream a nop insertion pass into LLVM a couple of years ago. You can find patches for LLVM 3.8.1 that allow nop insertion and many other randomizing transformations here: <a href="https://github.com/securesystemslab/multicompiler">https://github.com/securesystemslab/multicompiler</a> (Some
of these have been forward ported to LLVM 7 as well but I don't believe the code has been made public yet.)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<br>
Per<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">*We built a robust load-time randomizer that does function shuffling that works with off the shelf compilers and loaders, not sure if that's of interest in your case: <a href="https://github.com/immunant/selfrando">https://github.com/immunant/selfrando</a><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Thu, Nov 21, 2019 at 4:01 PM Stephen Checkoway via llvm-dev <<a href="mailto:llvm-dev@lists.llvm.org">llvm-dev@lists.llvm.org</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal"><br>
<br>
> On Nov 21, 2019, at 14:23, Robinson, Paul via llvm-dev <<a href="mailto:llvm-dev@lists.llvm.org" target="_blank">llvm-dev@lists.llvm.org</a>> wrote:<br>
> <br>
> Some years ago there was a random-nop-insertion pass (for ROP gadget removal) proposed, which didn't stick; we recently had a summer intern work on it but did not get to proper quality; I'd like to revive that.<br>
<br>
Hi Paul,<br>
<br>
I'm curious about what the use case for this was. In the normal course of binary distribution of programs, the addition of nops doesn't affect ROP in any significant way. (For a while, inserting a nop before a ret broke ROPgadget's [1] ability to find interesting
code sequences since it was looking for fixed sequences of instructions.)<br>
<br>
I could imagine it being used for JITted code. If that was the use case in mind, did you happen to compare it to other randomized codegen?<br>
<br>
I'm only curious because this has historically been an area of research of mine [2,3,4], not any sort of pressing matter.<br>
<br>
Thank you,<br>
<br>
Steve<br>
<br>
<br>
1. <a href="https://github.com/JonathanSalwan/ROPgadget" target="_blank">https://github.com/JonathanSalwan/ROPgadget</a><br>
2. <a href="https://checkoway.net/papers/evt2009/evt2009.pdf" target="_blank">https://checkoway.net/papers/evt2009/evt2009.pdf</a><br>
3. <a href="https://checkoway.net/papers/noret_ccs2010/noret_ccs2010.pdf" target="_blank">
https://checkoway.net/papers/noret_ccs2010/noret_ccs2010.pdf</a><br>
4. <a href="https://checkoway.net/papers/fcfi2014/fcfi2014.pdf" target="_blank">https://checkoway.net/papers/fcfi2014/fcfi2014.pdf</a><br>
<br>
-- <br>
Stephen Checkoway<br>
<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
LLVM Developers mailing list<br>
<a href="mailto:llvm-dev@lists.llvm.org" target="_blank">llvm-dev@lists.llvm.org</a><br>
<a href="https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev" target="_blank">https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev</a><o:p></o:p></p>
</blockquote>
</div>
</div>
</div>
</body>
</html>