[llvm] [BOLT] Gadget scanner: detect authentication oracles (PR #135663)
Anatoly Trosinenko via llvm-commits
llvm-commits at lists.llvm.org
Wed May 28 10:07:54 PDT 2025
================
@@ -717,6 +740,457 @@ SrcSafetyAnalysis::create(BinaryFunction &BF,
RegsToTrackInstsFor);
}
+/// A state representing which registers are safe to be used as the destination
+/// operand of an authentication instruction.
+///
+/// Similar to SrcState, it is the responsibility of the analysis to take
+/// register aliasing into account.
+///
+/// Depending on the implementation, it may be possible that an authentication
+/// instruction returns an invalid pointer on failure instead of terminating
+/// the program immediately (assuming the program will crash as soon as that
+/// pointer is dereferenced). To prevent brute-forcing the correct signature,
+/// it should be impossible for an attacker to test if a pointer is correctly
+/// signed - either the program should be terminated on authentication failure
+/// or it should be impossible to tell whether authentication succeeded or not.
----------------
atrosinenko wrote:
Updated this paragraph, it is hopefully more readable now.
https://github.com/llvm/llvm-project/pull/135663
More information about the llvm-commits
mailing list