[LLVMdev] Adding diversity for security (and testing)

Thu Aug 29 15:29:07 PDT 2013

On 08/28/2013 02:37 PM, Nick Lewycky wrote:
> 1. I'm concerned about the deployment problem. I realize that being in 
> the compiler means you can transform the program in more exciting 
> ways, but it gives you a much worse deployment story than something 
> which modifies the program on disk like "prelink".

Yes, definitely. Deployment is an issue which users will need to 
consider when deciding whether to use compiler-based diversity. However 
there are certainly use-cases which could benefit, especially in small 
deployments. Additionally, the benefits may outweigh the increase in 
deployment costs for larger deployments.

> 2. Does this actually fill a gap in our protections? How do we ever 
> get into the situation where the user is able to deploy a ROP attack 
> against us, without tripping asan or ubsan or something caught by our 
> warnings or the static analyzer or any of the other protections 
> offered by clang and llvm? It may suffice that there exists a niche 
> which can't afford the performance penalty from asan or other things, 
> but then we'll need to discuss what the performance impact is.

Briefly looking at ASAN again, I saw a performance penalty of 2x 
mentioned. Diversity could act as both defense in depth, and as a 
lower-impact defense for performance critical code.

> 3. Reproducible builds are a must. GCC has a -frandom-seed=text flag 
> and you should use that here too. Given the same random seed, the 
> compiler shall produce the same output.

Completely agree, and that's exactly what we have done.

> And one issue for us, the llvm developers. If we're going to accept 
> this feature, own it and maintain it, how can we test it? We know how 
> to test for correctness and measure performance, we even understand 
> what protections -fstack-protector or ASAN offer and can write 
> spot-tests for them, but how can we measure the effectiveness of 
> probability-based ROP-protections? We don't need an answer to this 
> right now, but over time we'll be maintaining it, and it seems 
> plausible that we could accept a patch which accidentally diminishes 
> the actual security provided (image us maintaining a random number 
> generator -- it's possible to add a weakness which isn't easily noticed).

Unfortunately testing for security is a difficult problem. We have 
currently been evaluating our work by comparing a population of 
randomized variants to make sure that no gadgets are the same across 
variants. While this is reasonable for research evaluation, I'm not sure 
that would be practical (or useful) for the compiler test suite. To 
prevent regressions, I think the test suite will need to test at least 3 
major areas: making sure that RNG results are consistent and 
deterministic, testing that NOPs are actually inserted and scheduling 
decisions randomized, and verifying that different seeds result in 
entirely different binaries with approximately equal amounts of 
diversifications.

Speaking of maintenance, we plan to continue work on this in our lab. We 
can certainly maintain these features at least for the next year and a 
half, and possibly longer.

> There's a "good news" side to this too. Over lunch I talked with one 
> of our security guys, and he's excited. He tells me that diversity for 
> ROP-protection is entirely the way to go, and speculates that it ought 
> to be deployable by other vendors. Furthermore, we expect that 
> rotating the register allocation is going to be especially painful on 
> the exploit authors.

As mentioned, we have an implementation of register randomization, 
although it will require some reworking to be ready for prime-time. We 
can definitely look into getting that polished.

- stephen