[LLVMdev] Adding diversity for security (and testing)
Nadav Rotem
nrotem at apple.com
Mon Aug 26 11:51:19 PDT 2013
Hi Stephen,
> Greetings LLVM Devs!
>
> I am a PhD student in the Secure Systems and Software Lab at UC
> Irvine. We have been working on adding randomness into code generation
> to create a diverse population of binaries. This diversity prevents
> code-reuse attacks such as return-oriented-programming (ROP) by
> denying the attacker information about the exact code layout. ROP has
> been used is several high-profile recent attacks, and has also been
> used as a jailbreaking avenue. We believe our transformations would
> provide a significant security benefit for LLVM users who choose to
> use diversity. For more details see [1] (although we are currently
> proposing to upstream only a simplified subset of our work).
>
I think that this is very interesting and I would like LLVM to have a "randomness” feature. I think that it is useful for other aspects of security as well.
> We would like to contribute some of our work back to the community,
> and are preparing a small patch adding two new features: NOP insertion
> and schedule randomization. The NOP insertion pass randomly adds NOPs
> after each MachineInstr according to a command-line
> parameter. Currently NOP insertion is implemented for X86, and we are
> adding support for ARM.
Okay.
> The schedule randomizer randomly picks a valid
> instruction to schedule at every point, bypassing the scheduling
> heuristics. These passes result in a binary which, while slightly
> slower, is far more secure against code-reuse attacks. In addition,
> schedule randomization may be useful for randomized compiler and
> micro-architecture testing.
>
Which scheduler did you modify ? The plan is to disable the SelectionDAG scheduler and move to the MI Scheduler soon.
Also, have you looked at randomizing register-allocation ?
> We would also include a secure random number generator which links
> against OpenSSL. This would of course be an optional module disabled
> by default, but is necessary so the randomization is cryptographically
> secure and useful in security applications.
I am not sure why you need this feature. You can provide LLVM with a SEED value that can be controlled from the command line. A wrapper (such as a build-script) can control this value.
>
> We are in the process of writing test cases and double checking
> formatting to produce a useful patch, but would like to solicit
> feedback on our proposed changes before submitting patches for
> detailed consideration.
Please make sure that the LLVM nightly test suite passes with randomization enabled.
>
> Thanks,
> Stephen Crane
> Secure Systems and Software Lab
> UC Irvine
>
>
> [1] A. Homescu, S. Neisius, P. Larsen, S. Brunthaler, and M. Franz;
> “Profile-guided Automated Software Diversity,” in 2013 International
> Symposium on Code Generation and Optimization (CGO 2013), Shenzhen,
> China; February 2013.
>
> _______________________________________________
> LLVM Developers mailing list
> LLVMdev at cs.uiuc.edu http://llvm.cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/llvmdev
More information about the llvm-dev
mailing list