On Fri, Nov 13, 2015 at 9:47 PM, Bernd Schmidt <bernds_...@t-online.de> wrote: > This adds a new -mmitigate-rop option to the i386 port. The idea is to > mitigate against certain forms of attack called "return oriented > programming" that some of our security folks are concerned about. The basic > idea is that the stack gets smashed and then, just by chaining function > returns and some preceding instructions, you can have a Turing-complete > program to perform an attack. The function returns can be either normal, > intended ones that are part of the program, or parts of the instruction > encoding of other sequences. > > This patch is a small step towards preventing this kind of attack. I have a > few more steps queued (not quite ready for stage 1), but additional work > will be necessary to give reasonable protection. Here, I'm only concerned > with modr/m bytes, and avoiding certain specific opcodes that encode a > "return" instruction. Two strategies are available: rename entire chains of > registers, or insert extra reg-reg copies if there is a free scratch > register. > > The modrm byte computation is not a full one, it is only intended to be able > to tell whether a value is risky or not. > > This was bootstrapped and tested on x86_64-linux. I thought I'd also done a > full test with -mmitigate-rop forced always on, but a typo thwarted that. An > earlier set of test results looked reasonable but I did not have a baseline > to compare against, so I'll be retesting this.
> * regrename.h (struct du_head): Add target_data_1 and target_data_2 > fields. > * regrename.c (create_new_chain): Clear entire struct after allocating. > > * config/i386/i386.opt (mmitigate-rop): New option. > * doc/invoke.texi (mmitigate-rop): Document. > * config/i386/i386.c: Include "regrename.h". > (ix86_rop_should_change_byte_p, reg_encoded_number, > ix86_get_modrm_for_rop, set_rop_modrm_reg_bits, ix86_mitigate_rop): New > static functions. > (ix86_reorg): Call ix86_mitigate_rop if -fmitigate-rop. > * config/i386/i386.md (attr "modrm_class"): New. > (cmp<mode>_ccno_1, mov<mode>_xor, movstrict<mode>_xor, > x86_mov<mode>cc_0_m1. x86_mov<mode>cc_0_m1_se, > x86_mov<mode>cc_0_m1_neg): Override modrm_class attribute. LGTM, and since the whole thing is protected by a -mmitigate-rop it looks safe for mainline SVN. Thanks, Uros.
