[LLVMdev] -fbounds-checking vs {SAFECode,ASan}

John Criswell criswell at illinois.edu
Thu May 24 10:23:09 PDT 2012 

On 5/24/12 5:41 AM, Duncan Sands wrote:
> Hi Kostya, I'm also curious to know where Nuno is going with this, and the
> details of his design.  I'm worried he might be reinventing the wheel.  I'm
> also worried that he may be inventing a square wheel :)

I believe Nuno's goal is to prevent run-time exploitation of software.  
Nuno, please correct me if I'm wrong.

And with all due respect to Nuno, I think he's reinventing the wheel.  I 
implemented what he described using SAFECode in an evening by writing 
two specialized passes that are needed to adjust SAFECode's 
instrumentation to what Nuno needs (one pass removes checks that are too 
expensive; the other inlines the fast checks to remove function call 
overhead).  That code can still be found at 
http://sva.cs.illinois.edu/fastsc-llvm.tar.gz.

I wrote a proposal for a common memory safety instrumentation 
infrastructure and sent it to llvm-commits.  Would it be useful to send 
it to llvmdev as well for discussion, or has everyone who's already 
interested seen it?

Having said all this, if exploit mitigation is the goal, I think it 
might be worth taking a step back and first determining *which* safety 
properties one wants to enforce and what the expected overheads might 
be.  IMHO, if I wanted a technique that could provide the most security 
for the least code complexity and least run-time overhead, I would 
implement control-flow integrity (CFI).  As far as I understand, nearly 
all memory safety exploitation today is done by diverting 
control-flow(*); CFI prevents that and is faster than any other 
non-probabilistic mitigation in the literature.

There's a paper on CFI by Abadi et. al. 
(http://dl.acm.org/citation.cfm?id=1609956.1609960).  However, I don't 
think we'd want to implement it in the same way they do; I'd recommend 
run-time checks on indirect function calls and a split-stack approach 
that allows checks on stores to just mask off bits in the pointer 
address to prevent them from overwriting the return address on the stack.

As an aside, I have a web site called the Memory Safety Menagerie 
(http://sva.cs.illinois.edu/menagerie/index.html) that lists papers on 
the topic of memory safety attack mitigation.  Those interested in 
exploring the mitigation options might find it useful.

-- John T.

(*) Attacks that only change data-flow are possible and practical, but I 
think these are a minority of attacks in the wild.  Attacks that divert 
control-flow are not only common, but researchers have now built tools 
to automate the creation of such attacks.

More information about the llvm-dev mailing list