> On Sep 4, 2020, at 1:04 PM, Segher Boessenkool <seg...@kernel.crashing.org>
> wrote:
>
> On Fri, Sep 04, 2020 at 12:18:12PM -0500, Qing Zhao wrote:
>>> I call this very expensive, already,
>>
>> Yes, I think that 17.56% on average is quite expensive. That’s the data for
>> -fzero-call-used-regs=all, the worst case i.e, clearing all the call-used
>> registers at the return.
>>
>> However, if we only clear USED registers, the worst case is 1.72% on
>> average. This overhead is very reasonable.
>
> No, that is the number I meant. 2% overhead is extremely much, unless
> this is magically super effective, and actually protects many things
> from exploitation (that aren't already protected some other way, SSP for
> example).
Then how about the 0.81% overhead on average for
-fzero-call-used-regs=used_gpr_arg?
This option can be used to effectively mitigate ROP attack.
and currently, Clear Linux project has been using a similar option as this
one since GCC 8 (similar as -fzero-call-used-regs=used_gpr).
>>> and it is benchmarked on a target
>>> where this should be very cheap (it has few registers) :-/
>>
>> It’s a tradeoff to improve the software security with some runtime overhead.
>
> Yes. Which is why I asked for numbers of both sides of the equation:
> how much it costs, vs. how much value it brings.
Reasonable.
>
>> For compiler, we should provide such option to the users to satisfy their
>> security need even though the runtime overhead. Of course, during compiler
>> implementation, we will do our best to minimize the runtime overhead.
>
> There also is a real cost to the compiler *developers*. Which is my
> prime worry here. If this gives users at most marginal value, then it
> is real cost to us, but nothing to hold up to that.
Here, you mean the future maintenance cost for this part of the code?
Qing
>
>
> Segher
