[PATCH] Add Forward-Edge Control-Flow Integrity support

Tom Roeder tmroeder at google.com
Mon Jun 16 16:14:12 PDT 2014 

This patch adds a new pass that can inject checks before indirect calls to make sure that these calls target known locations. It supports three types of checks and, at compile time, it can take the name of a custom function to call when an indirect call check fails.

This foward CFI implementation depends on the recent jumptable attribute, as well as http://reviews.llvm.org/D4128, which adds a flag to cause all address-taken functions to get the attributes unnamed_addr and jumptable.

This CFI implementation can also easily be augmented with ExternalFunctionAnalysis (http://reviews.llvm.org/D2873); this allows the rewriter to skip rewriting for functions that are known at compile time to take functions defined outside the current module. Another possibility for integration with EFA is to call a different failure function for sites that use known external function pointers than for the other indirect call check sites.

See http://lists.cs.uiuc.edu/pipermail/llvmdev/2014-February/070210 for the initial discussion of this feature on llvmdev.

This pass incidentally moves the function JumpInstrTables::transformType from private to public and makes it static (with a new argument that specifies the table type to use); this is so that the CFI code can transform function types at call sites to determine which jump-instruction table to use for the check at that site.

http://reviews.llvm.org/D4167

Files:
  include/llvm/CodeGen/CommandFlags.h
  include/llvm/CodeGen/ForwardControlFlowIntegrity.h
  include/llvm/CodeGen/JumpInstrTables.h
  include/llvm/CodeGen/Passes.h
  include/llvm/InitializePasses.h
  include/llvm/Target/TargetOptions.h
  lib/CodeGen/AsmPrinter/AsmPrinter.cpp
  lib/CodeGen/CMakeLists.txt
  lib/CodeGen/ForwardControlFlowIntegrity.cpp
  lib/CodeGen/JumpInstrTables.cpp
  lib/CodeGen/LLVMTargetMachine.cpp
  lib/CodeGen/TargetOptionsImpl.cpp
  test/CodeGen/Generic/stop-after.ll
  test/CodeGen/X86/cfi_enforcing.ll
  test/CodeGen/X86/cfi_non_default_function.ll
  test/CodeGen/X86/cfi_simple_indirect_call.ll
  test/CodeGen/X86/jump_table_alias.ll
  test/CodeGen/X86/jump_table_all.ll
  test/CodeGen/X86/jump_table_bitcast.ll
  test/CodeGen/X86/jump_tables.ll
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D4167.10465.patch
Type: text/x-patch
Size: 47964 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20140616/7d75f8ac/attachment.bin>

More information about the llvm-commits mailing list