[llvm-dev] [RFC] Zeroing Caller Saved Regs
Bill Wendling via llvm-dev
llvm-dev at lists.llvm.org
Wed Aug 12 15:11:27 PDT 2020
On Wed, Aug 12, 2020 at 2:59 PM Kees Cook <keescook at chromium.org> wrote:
>
> On Wed, Aug 12, 2020 at 02:44:59PM -0700, Bill Wendling wrote:
> > My guess is that inserting zeroing instructions right before the "ret"
> > instruction can disable some of the hacks we see with ROP:
> >
> > `pop rdi ; ret` becomes `pop rdi ; xor rdi, rdi ; ret`
>
> Right; this isn't meant to be a perfect defense. Nothing can be, really.
> But it narrows the opportunities available to an attacker (whether it be
> ROP, exposures, speculation, etc). The more deterministic the execution
> paths, the lower the chance that each given path is both useful (i.e.
> does work that helps an attacker) and available (i.e. can be "reached"
> through some specific bug) to an attacker.
>
> Given the near-zero cost (in both runtime and code size) of self-xor-ing
> registers, it's a "free" change that has a greater-than-zero cost to an
> attacker.
>
I wanted to clarify that the 16x slowdown was in the authors'
implementation, which used instrumentation to inject code. But yeah,
this could help limit the avenues open to attackers.
-bw
More information about the llvm-dev
mailing list