[cfe-dev] Zero'ing Registers on Function Return

Fri Sep 12 06:03:31 PDT 2014


On 9/12/14 6:56 AM, Jonathan Roelofs wrote:
>
>
> On 9/11/14 9:53 PM, Robinson, Paul wrote:
>> Add a function attribute, say __attribute__((clear_regs_on_return)) which when a
>> thus annotated function returns will zero all callee owned registers and spill
>> slots.
>>
>> Seems reasonable, if insufficient.  For compiler-guaranteed clearing, the
>> annotated function would have to have other restrictions. (Can't call external
>> functions; can't call local functions that aren't also marked clear-on-return;
>> can't have optimizations do things like convert memset-style loops into memset
>> calls.)
Suppose a function hardened with this attribute calls another which has not been 
hardened (like some libc function, for example). It might make sense to have the 
caller clear any stack slots & registers that are dead across the call. Though, 
as you say, this provides weaker guarantees than if every function called by a 
hardened one is also hardened.

Jon
>>
>> Then, all unused caller owned registers will be immediately cleared by the
>> caller after return.
>>
>> Seems completely wrong. Why should the caller clear its own registers?  ABI says
>> callee left them alone (or restored them) therefore they contain no sensitive
>> state left behind by the callee.  Or did I misunderstand this part of the spec?
> "zero all the callee-modified registers which are not return values" perhaps?
>
> Jon
>>
>> --paulr
>>
>> *From:*cfe-dev-bounces at cs.uiuc.edu [mailto:cfe-dev-bounces at cs.uiuc.edu] *On
>> Behalf Of *Russell Harmon
>> *Sent:* Thursday, September 11, 2014 7:31 PM
>> *To:* cfe-dev at cs.uiuc.edu
>> *Subject:* [cfe-dev] Zero'ing Registers on Function Return
>>
>> I've been thinking about the issues with securely zero'ing buffers that Colin
>> Percival discusses in his blog article
>> <http://www.daemonology.net/blog/2014-09-06-zeroing-buffers-is-insufficient.html>,
>>
>> and I think I'd like to take a stab at fixing it in clang. Here's my proposal:
>>
>> Add a function attribute, say __attribute__((clear_regs_on_return)) which when a
>> thus annotated function returns will zero all callee owned registers and spill
>> slots. Then, all unused caller owned registers will be immediately cleared by
>> the caller after return.
>>
>> As for why, I'm concerned with the case where a memory disclosure vulnerability
>> exposes all or a portion of sensitive data via either spilled registers or
>> infrequently used registers (xmm). If an attacker is able to analyze a binary
>> for situations wherein sensitive data will be spilled, leveraging a memory
>> disclosure vulnerability it's likely one could craft an exploit that reveals
>> sensitive data.
>>
>> What does the list think?
>>
>> -Russ Harmon
>>
>>
>>
>> _______________________________________________
>> cfe-dev mailing list
>> cfe-dev at cs.uiuc.edu
>> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
>>
>

-- 
Jon Roelofs
jonathan at codesourcery.com
CodeSourcery / Mentor Embedded