[llvm] [BOLT] Gadget scanner: detect authentication oracles (PR #135663)

[Kristof Beyls via llvm-commits]

================
@@ -717,6 +740,457 @@ SrcSafetyAnalysis::create(BinaryFunction &BF,
                                                        RegsToTrackInstsFor);
 }
 
+/// A state representing which registers are safe to be used as the destination
+/// operand of an authentication instruction.
+///
+/// Similar to SrcState, it is the responsibility of the analysis to take
+/// register aliasing into account.
+///
+/// Depending on the implementation, it may be possible that an authentication
+/// instruction returns an invalid pointer on failure instead of terminating
+/// the program immediately (assuming the program will crash as soon as that
+/// pointer is dereferenced). To prevent brute-forcing the correct signature,
+/// it should be impossible for an attacker to test if a pointer is correctly
+/// signed - either the program should be terminated on authentication failure
+/// or it should be impossible to tell whether authentication succeeded or not.
----------------
kbeyls wrote:

"To prevent brute-forcing the correct signature", maybe it's easier to understand if this says e.g. something like "to prevent enabling an attacker to brute-force check whether a given signature is correct"?
(Maybe it doesn't make things that much easier --- I'm just thinking out loud here, feel free to not accept this suggestion).

Maybe it would be useful to somehow use the term "authentication oracle" here, so that in a search this documentation shows up?

https://github.com/llvm/llvm-project/pull/135663