[llvm-dev] [RFC] Zeroing Caller Saved Regs
David Chisnall via llvm-dev
llvm-dev at lists.llvm.org
Fri Aug 7 01:18:16 PDT 2020
The thing missing from the RFC, though tangentially referenced in a couple of the links, is the threat model for this.
We’ve looked in the past (and had a paper at EuroS&P a few years ago) at the ways in which the compiler can leak secrets that the C abstract machine believes are erased but can be found via a stack memory safety gadget. Fully addressing this requires zeroing spill slots and may also require spilling temporary registers across calls rather than placing values in callee-save registers (though if *all* code is compiled defensively, then the callee can be trusted to zero spill slots for these).
It appears as if this proposal is to address a weaker security model: leaking secrets via transient execution vulnerabilities. As such, it is not concerned with secrets spilled to the stack or leaked from the caller to callee in callee-save registers.
The latter almost makes sense. These registers are normally spilled unconditionally on entry to a function if they are used. The presence of shrink wrapping invalidates this assumption though, and there are transient execution paths through a function that uses shrink wrapping that will leak secrets from the caller. I would therefore expect that this option would disable shrink wrapping.
The former makes less sense to me. Anything that loads from the stack and does something with the result is a potential gadget for leaking secrets spilled to the stack by a prior call via transient execution side channels and, even in the presence of this defence, it seems likely that there are a large number of useful gadgets remaining.
I think it would be useful for the discussion to have a clear threat model that this intends to defend against and a rough analysis of the security benefits that this is believed to bring.
> On 7 Aug 2020, at 00:12, Bill Wendling via llvm-dev <llvm-dev at lists.llvm.org> wrote:
> [This feature addresses https://bugs.llvm.org/show_bug.cgi?id=37880
> and https://github.com/KSPP/linux/issues/84.]
> Clang has been ramping up its support of the Linux kernel. We recently
> added "asm goto with outputs", a long requested feature. We want to
> continue building our relationship with the Linux community.
> KSPP is a project to improve security in the Linux kernel, through
> both kernel changes and compiler features. One compiler feature they
> want is the ability to zero out caller-saved registers on function
> return as a defense against stale register contents being used as a
> side-channel or speculation path.
> The option will be "opt-in" for each target. Targets that don't
> support the flag should probably emit a warning or error.
> Our proposal for the feature is modeled off of H. J. Lu's
> description (copied with some modifications):
> Add -mzero-caller-saved-regs=[skip|used-gpr|all-gpr|used|all]
> command-line option and zero_caller_saved_regs function attributes:
> * Don't zero caller-saved registers upon function return (default):
> * Zero used caller-saved integer registers upon function return:
> * Zero all integer registers upon function return:
> * Zero used caller-saved integer and vector registers upon function return:
> * Zero all caller-saved integer and vector registers upon function return:
>  https://github.com/clearlinux-pkgs/gcc/blob/master/0001-x86-Add-mzero-caller.patch
> LLVM Developers mailing list
> llvm-dev at lists.llvm.org
More information about the llvm-dev