[all-commits] [llvm/llvm-project] 826e9d: [BOLT] Gadget scanner: detect signing oracles

Anatoly Trosinenko via All-commits all-commits at lists.llvm.org
Wed Apr 2 13:02:45 PDT 2025 

  Branch: refs/heads/users/atrosinenko/bolt-gs-signing-oracles
  Home:   https://github.com/llvm/llvm-project
  Commit: 826e9d76ef7b7202c6de33bdc889c73dc8fc2f26
      https://github.com/llvm/llvm-project/commit/826e9d76ef7b7202c6de33bdc889c73dc8fc2f26
  Author: Anatoly Trosinenko <atrosinenko at accesssoftek.com>
  Date:   2025-04-02 (Wed, 02 Apr 2025)

  Changed paths:
    M bolt/include/bolt/Core/MCPlusBuilder.h
    M bolt/lib/Passes/PAuthGadgetScanner.cpp
    M bolt/lib/Target/AArch64/AArch64MCPlusBuilder.cpp
    A bolt/test/binary-analysis/AArch64/gs-pauth-address-checks.s
    M bolt/test/binary-analysis/AArch64/gs-pauth-debug-output.s
    A bolt/test/binary-analysis/AArch64/gs-pauth-signing-oracles.s

  Log Message:
  -----------
  [BOLT] Gadget scanner: detect signing oracles

Implement the detection of signing oracles. In this patch, a signing
oracle is defined as a sign instruction that accepts a "non-protected"
pointer, but for a slightly different definition of "non-protected"
compared to control flow instructions.

A second BitVector named TrustedRegs is added to the register state
computed by the data-flow analysis. The difference between a
"safe-to-dereference" and a "trusted" register states is that to make
an unsafe register trusted by authentication, one has to make sure
that the authentication succeeded. For example, on AArch64 without
FEAT_PAuth2 and FEAT_EPAC, an authentication instruction produces an
invalid pointer on failure, so that subsequent memory access triggers
an error, but re-signing such pointer would "fix" the signature.

Note that while a separate "trusted" register state may be redundant
depending on the specific semantics of auth and sign operations, it is
still important to check signing operations: while code like this

    resign:
      autda x0, x1
      pacda x0, x2
      ret

is probably safe provided `autda` generates an error on authentication
failure, this function

    sign_anything:
      pacda x0, x1
      ret

is inherently unsafe.



To unsubscribe from these emails, change your notification settings at https://github.com/llvm/llvm-project/settings/notifications

More information about the All-commits mailing list