[llvm-dev] [RFC] Zeroing Caller Saved Regs

Bill Wendling via llvm-dev llvm-dev at lists.llvm.org
Wed Aug 12 15:11:27 PDT 2020

On Wed, Aug 12, 2020 at 2:59 PM Kees Cook <keescook at chromium.org> wrote:
> On Wed, Aug 12, 2020 at 02:44:59PM -0700, Bill Wendling wrote:
> > My guess is that inserting zeroing instructions right before the "ret"
> > instruction can disable some of the hacks we see with ROP:
> >
> >    `pop rdi ; ret` becomes `pop rdi ; xor rdi, rdi ; ret`
> Right; this isn't meant to be a perfect defense. Nothing can be, really.
> But it narrows the opportunities available to an attacker (whether it be
> ROP, exposures, speculation, etc). The more deterministic the execution
> paths, the lower the chance that each given path is both useful (i.e.
> does work that helps an attacker) and available (i.e. can be "reached"
> through some specific bug) to an attacker.
> Given the near-zero cost (in both runtime and code size) of self-xor-ing
> registers, it's a "free" change that has a greater-than-zero cost to an
> attacker.
I wanted to clarify that the 16x slowdown was in the authors'
implementation, which used instrumentation to inject code. But yeah,
this could help limit the avenues open to attackers.


More information about the llvm-dev mailing list