[cfe-dev] [llvm-dev] [RFC] Zeroing Caller Saved Regs

Kees Cook via cfe-dev cfe-dev at lists.llvm.org
Wed Aug 12 14:59:36 PDT 2020


On Wed, Aug 12, 2020 at 02:44:59PM -0700, Bill Wendling wrote:
> My guess is that inserting zeroing instructions right before the "ret"
> instruction can disable some of the hacks we see with ROP:
> 
>    `pop rdi ; ret` becomes `pop rdi ; xor rdi, rdi ; ret`

Right; this isn't meant to be a perfect defense. Nothing can be, really.
But it narrows the opportunities available to an attacker (whether it be
ROP, exposures, speculation, etc). The more deterministic the execution
paths, the lower the chance that each given path is both useful (i.e.
does work that helps an attacker) and available (i.e. can be "reached"
through some specific bug) to an attacker.

Given the near-zero cost (in both runtime and code size) of self-xor-ing
registers, it's a "free" change that has a greater-than-zero cost to an
attacker.

-- 
Kees Cook


More information about the cfe-dev mailing list