[all-commits] [llvm/llvm-project] df7f03: [BOLT] Gadget scanner: detect signing oracles

Anatoly Trosinenko via All-commits all-commits at lists.llvm.org
Tue Apr 8 08:47:13 PDT 2025 

  Branch: refs/heads/users/atrosinenko/bolt-gs-signing-oracles
  Home:   https://github.com/llvm/llvm-project
  Commit: df7f039e5d046987bd2e362e9ce46631d6e3319f
      https://github.com/llvm/llvm-project/commit/df7f039e5d046987bd2e362e9ce46631d6e3319f
  Author: Anatoly Trosinenko <atrosinenko at accesssoftek.com>
  Date:   2025-04-08 (Tue, 08 Apr 2025)

  Changed paths:
    M bolt/include/bolt/Core/MCPlusBuilder.h
    M bolt/lib/Passes/PAuthGadgetScanner.cpp
    M bolt/lib/Target/AArch64/AArch64MCPlusBuilder.cpp
    A bolt/test/binary-analysis/AArch64/gs-pauth-address-checks.s
    M bolt/test/binary-analysis/AArch64/gs-pauth-debug-output.s
    A bolt/test/binary-analysis/AArch64/gs-pauth-signing-oracles.s

  Log Message:
  -----------
  [BOLT] Gadget scanner: detect signing oracles

Implement the detection of signing oracles. In this patch, a signing
oracle is defined as a sign instruction that accepts a "non-protected"
pointer, but for a slightly different definition of "non-protected"
compared to control flow instructions.

A second BitVector named TrustedRegs is added to the register state
computed by the data-flow analysis. The difference between a
"safe-to-dereference" and a "trusted" register states is that to make
an unsafe register trusted by authentication, one has to make sure
that the authentication succeeded. For example, on AArch64 without
FEAT_PAuth2 and FEAT_EPAC, an authentication instruction produces an
invalid pointer on failure, so that subsequent memory access triggers
an error, but re-signing such pointer would "fix" the signature.

Note that while a separate "trusted" register state may be redundant
depending on the specific semantics of auth and sign operations, it is
still important to check signing operations: while code like this

    resign:
      autda x0, x1
      pacda x0, x2
      ret

is probably safe provided `autda` generates an error on authentication
failure, this function

    sign_anything:
      pacda x0, x1
      ret

is inherently unsafe.


  Commit: c05ced6eed0f0d99f596ec072737af9e1ffa032f
      https://github.com/llvm/llvm-project/commit/c05ced6eed0f0d99f596ec072737af9e1ffa032f
  Author: Anatoly Trosinenko <atrosinenko at accesssoftek.com>
  Date:   2025-04-08 (Tue, 08 Apr 2025)

  Changed paths:
    M bolt/include/bolt/Core/MCPlusBuilder.h
    M bolt/test/binary-analysis/AArch64/gs-pauth-address-materialization.s
    M bolt/test/binary-analysis/AArch64/gs-pauth-calls.s

  Log Message:
  -----------
  Address the review comments, update the tests


Compare: https://github.com/llvm/llvm-project/compare/b341ff457655...c05ced6eed0f

To unsubscribe from these emails, change your notification settings at https://github.com/llvm/llvm-project/settings/notifications

More information about the All-commits mailing list