[cfe-dev] [llvm-dev] [RFC] Zeroing Caller Saved Regs
Kees Cook via cfe-dev
cfe-dev at lists.llvm.org
Wed Aug 12 14:59:36 PDT 2020
On Wed, Aug 12, 2020 at 02:44:59PM -0700, Bill Wendling wrote:
> My guess is that inserting zeroing instructions right before the "ret"
> instruction can disable some of the hacks we see with ROP:
>
> `pop rdi ; ret` becomes `pop rdi ; xor rdi, rdi ; ret`
Right; this isn't meant to be a perfect defense. Nothing can be, really.
But it narrows the opportunities available to an attacker (whether it be
ROP, exposures, speculation, etc). The more deterministic the execution
paths, the lower the chance that each given path is both useful (i.e.
does work that helps an attacker) and available (i.e. can be "reached"
through some specific bug) to an attacker.
Given the near-zero cost (in both runtime and code size) of self-xor-ing
registers, it's a "free" change that has a greater-than-zero cost to an
attacker.
--
Kees Cook
More information about the cfe-dev
mailing list