[llvm-dev] Random nop insertion pass

Per Larsen via llvm-dev llvm-dev at lists.llvm.org
Thu Nov 21 16:26:12 PST 2019

Hi all,

To elaborate on what Stephen said, compile-time nop insertion is only
effective if the adversary and victim have different versions of the same
binary. This obviously creates difficulties w.r.t. binary distribution and
subsequent updates*. That said, my colleagues and I at UCI did attempt to
upstream a nop insertion pass into LLVM a couple of years ago. You can find
patches for LLVM 3.8.1 that allow nop insertion and many other randomizing
transformations here: https://github.com/securesystemslab/multicompiler (Some
of these have been forward ported to LLVM 7 as well but I don't believe the
code has been made public yet.)


*We built a robust load-time randomizer that does function shuffling that
works with off the shelf compilers and loaders, not sure if that's of
interest in your case: https://github.com/immunant/selfrando

On Thu, Nov 21, 2019 at 4:01 PM Stephen Checkoway via llvm-dev <
llvm-dev at lists.llvm.org> wrote:

> > On Nov 21, 2019, at 14:23, Robinson, Paul via llvm-dev <
> llvm-dev at lists.llvm.org> wrote:
> >
> > Some years ago there was a random-nop-insertion pass (for ROP gadget
> removal) proposed, which didn't stick; we recently had a summer intern work
> on it but did not get to proper quality; I'd like to revive that.
> Hi Paul,
> I'm curious about what the use case for this was. In the normal course of
> binary distribution of programs, the addition of nops doesn't affect ROP in
> any significant way. (For a while, inserting a nop before a ret broke
> ROPgadget's [1] ability to find interesting code sequences since it was
> looking for fixed sequences of instructions.)
> I could imagine it being used for JITted code. If that was the use case in
> mind, did you happen to compare it to other randomized codegen?
> I'm only curious because this has historically been an area of research of
> mine [2,3,4], not any sort of pressing matter.
> Thank you,
> Steve
> 1. https://github.com/JonathanSalwan/ROPgadget
> 2. https://checkoway.net/papers/evt2009/evt2009.pdf
> 3. https://checkoway.net/papers/noret_ccs2010/noret_ccs2010.pdf
> 4. https://checkoway.net/papers/fcfi2014/fcfi2014.pdf
> --
> Stephen Checkoway
> _______________________________________________
> LLVM Developers mailing list
> llvm-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20191121/4e990919/attachment.html>

More information about the llvm-dev mailing list