[cfe-dev] [EXTERNAL] Re: making -ftrivial-auto-var-init=zero a first-class option
Reid Kleckner via cfe-dev
cfe-dev at lists.llvm.org
Thu Apr 30 08:20:02 PDT 2020
JF: To Richard's point about raising this at the C++ committee level, has
that already been explored? I got the impression that Richard mostly wanted
to see an *attempt* to standardize the behavior across implementations. If
an attempt has already been made and there is evidence of disagreement,
then it seems like we may already have fulfilled point 4 of the clang
language extension policy, and we can go forward with renaming the flag and
making it permanent. It seems clear that there is adequate appetite for
this feature.
I suppose Richard is the C++ project editor, he would know if an attempt
has been made, but I do not personally have any visibility into the WG21
proceedings or communications.
On Wed, Apr 29, 2020 at 6:17 PM JF Bastien via cfe-dev <
cfe-dev at lists.llvm.org> wrote:
> I’ve consulted with folks in security, compilers, and developers of
> security-sensitive codebases. A few points:
>
>
> - They like that automatic variable initialization provides a security
> mitigation for a significant percentage of observed zero-day exploits, at
> extremely low cost, with little chance of regression.
> - They like that pattern initialization is a “smoking gun” when seen
> in a crash log. The size+performance costs have decreased in the last year,
> but they’d like to see it improve further.
> - They like the lower size+performance cost of zero initialization as
> well as the safety it offers for e.g. size variables (because a size of
> 0xAA…AA is “infinite” which is bad for bounds checking, whereas zero
> isn’t). They don’t like that zero is often a valid pointer sentinel value
> (i.e. initializing pointers to zero can be used in unexpected data flow).
> They don’t like the silly long compiler flag.
> - We’ve deployed automatic variable initialization in a significant
> amount of code. The vast majority of our deployment uses pattern
> initialization. A small number uses zero, of which you’ll note XNU
> <https://opensource.apple.com/source/xnu/xnu-6153.11.26/makedefs/MakeInc.def.auto.html>.
> We’ve only chosen zero in cases where size or performance were measured
> issues.
> - Automatic variable initialization which might sometimes trap (as
> Richard suggests) is a proposal we’d like to see implemented, but we’d like
> to see it under its own separate flag, something like UBSan does with
> developers choosing trapping or logging modes. The main reason is that pure
> trapping with zero-init will make deployment significantly harder (it’s no
> longer a low-risk mitigation), and it’ll make updating our compiler
> significantly harder (because it might change where it generates traps over
> time). We also think that trapping behavior would need good tooling, for
> example through opt remarks, to help find and fix parts of the code where
> the compiler added traps. A logging mode would ease some of this burden. As
> well, we’re not convinced on the size+performance cost of either tapping
> nor logging, complicating the adoption of the mitigation.
> - We don’t think the design space has been explored enough. We might
> want to differentiate initialization more than just “floating point is
> 0xFF…FF, everything else is 0xAA…AA”. For example:
> - We could pattern-init pointers (maybe with compile-time random
> different patterns), and zero-init scalars. This has a good mix of
> performance and security upsides.
> - We could key off heuristics to choose how to initialize, such as
> variable names, function names, or some machine learning model (and for
> those who know me: I’m not joking).
> - We could use a variety of runtime pseudo-random sources to
> initialize values.
> - We could add a new IR “undef” type, or different late-stage
> treatment of “undef”, to apply initialization after optimizations have
> found interesting facts about the program.
>
>
> We’d like to see work continue on improving this mitigation, optimizations
> around it, and other similar mitigations.
>
>
> On Apr 22, 2020, at 1:55 PM, Kees Cook via cfe-dev <cfe-dev at lists.llvm.org>
> wrote:
>
> On Wed, Apr 22, 2020 at 01:08:03PM -0700, Richard Smith wrote:
>
> On Wed, 22 Apr 2020 at 10:49, Joe Bialek <jobialek at microsoft.com> wrote:
>
> Also not clear to me what the OS is expected to do with this trap. We have
> a number of information leak vulnerabilities where force initialization
> kills the bug silently.
>
>
> Do you really mean "kills the bug"? I would certainly believe you have a
> number of information leak vulnerabilities where zero-init fixes the
> *vulnerability* (and we should definitely provide tools to harden programs
> against such vulnerabilities), but the program is still using an
> uninitialized value and still has a bug. The idea that this compiler change
> fixes or removes the bug is precisely the language dialect problem that I'm
> concerned about. Developers must still think that reading an uninitialized
> value is a bug (even if it's not a vulnerability any more) or they're
> writing a program in a language dialect where doing that is not a bug.
>
>
> Yeah, this is another "different communities mean different things"
> terminology glitch. For the security folks, "bug" tends to stand in for
> "security bug" or "security flaw". But yes, as you say, the "bug"
> (misuse of the C language) is present, but the "security flaw" gets
> downgraded to "just a bug" in the zero-init case. :)
>
> --
> Kees Cook
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>
>
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20200430/cb00a9c5/attachment.html>
More information about the cfe-dev
mailing list