[PATCH] Insert random noops to increase security against ROP attacks (llvm)

[Stephen Crane]

Hi Mehdi,

Sorry, I missed the question, thanks.

On Mon, Jan 5, 2015 at 9:53 PM, Mehdi Amini <mehdi.amini at apple.com> wrote:
> Independently of the randomization aspect, I think that the compiler should be able to deterministically get rid of the situation shown Figure 2 in https://www.ics.uci.edu/~ahomescu/multicompiler_cgo13.pdf ; i.e. when a gadget is formed by jumping in the middle of an instruction encoding. The compiler could break it by inserting a nop in these case. Now I’m not sure if it is easy to identify these cases from the assembly code or if it has to be done on the binary code itself?

My intuition would be that breaking _all_ unintended gadgets would
result in significantly slower binaries. However, it's essential to
note that gadgets do not need to be unintended instructions at all.
Researchers have shown that ROP is still viable using only the
intended instruction stream (terminating in returns or indirect jumps)
emitted by the compiler, which we cannot break while preserving
correctness.

Analyzing and attempting to break all gadgets would have to be done
after assembly, since immediate offsets can be used in ROP gadgets.

What we're aiming for instead is to randomize the layout sufficiently
such that all potential gadgets are randomly located. An attacker must
first attempt to disclose the exact binary layout of their particular
target before being able to use these gadgets.

Hopefully that answers your question? Happy to elaborate more here or
discuss off-list.

- stephen