[LLVMdev] [RFC] Simple control-flow integrity
Reid Kleckner
rnk at google.com
Tue Feb 11 09:12:03 PST 2014
On Tue, Feb 11, 2014 at 12:28 AM, Richard Osborne <richard at xmos.com> wrote:
>
> On 11 Feb 2014, at 08:15, Eric Christopher <echristo at gmail.com> wrote:
>
> > On Mon, Feb 10, 2014 at 11:51 PM, Reid Kleckner <rnk at google.com> wrote:
> >>
> >>
> >>
> >> IIRC this came up before, and I don't think we expose anything like a
> jump
> >> table at the IR level. As an IR-to-IR transform, I think asm is the
> only
> >> way to do it.
> >
> > I'd have to look more at what he's doing, but wouldn't a simple switch
> > statement in IR suffice? Efficiency would be up to the various
> > lowering mechanisms, but it wouldn't require inline asm.
> >
> > -eric
> Another option might be to create an array of function pointers in the
> LLVM IR, i.e generate code that looks like:
>
> void (*jumptable[])() = {
> &a,
> &b
> };
>
> void f(int index) {
> *(jumptable[index])();
> }
>
This isn't ABI compatible. Now function pointers point to data (or are
switch table indices) and not code.
I can imagine abusing indirectbr across separate functions, but rolling
your own jump table in asm seems better.
On Tue, Feb 11, 2014 at 5:07 AM, Joerg Sonnenberger <joerg at britannica.bec.de
> wrote:
> On Mon, Feb 10, 2014 at 03:33:32PM -0800, Tom Roeder wrote:
> > 3. adds a fast check for pointer safety at each indirect call site:
>
> Why not using a bloom filter for valid target addresses instead?
>
Can a bloom filter be as fast as a simple bounds check? I'm thinking lea
base, sub, cmp, jl, and cold call.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20140211/f1ebd16b/attachment.html>
More information about the llvm-dev
mailing list