Friendly bump - has anyone gotten a chance to take a look yet? On Monday, May 6, 2019 at 11:08:51 PM UTC-5, Neil Patil wrote: > > Hi Georg, > > The CL for review is here: > https://chromium-review.googlesource.com/c/v8/v8/+/1598267. (I haven't > added unit tests, but can do so if you think the approach is correct and > doesn't need significant modification.) Let me know if changes should be > made or if there's a different process to submit code. > > Thanks, > Neil > > On Monday, May 6, 2019 at 3:53:51 AM UTC-5, Georg Neis wrote: >> >> Hi Neil, >> >> this sounds interesting. We have been thinking about such kind of dynamic >> checks as well as about improving our typer testing, but we haven't started >> implemented anything so far. I'd be happy to look at your code. >> >> Best, >> Georg >> >> *From: *<[email protected]> >> *Date: *Sun, May 5, 2019 at 10:25 PM >> *To: *v8-dev >> >> Hi all, >>> >>> I've been recently investigating type confusion vulnerabilities in the >>> TurboFan JIT (such as this >>> <https://bugs.chromium.org/p/chromium/issues/detail?id=762874&can=2&q=762874&colspec=ID%20Pri%20M%20Stars%20ReleaseBlock%20Component%20Status%20Owner%20Summary%20OS%20Modified> >>> >>> and this >>> <https://bugs.chromium.org/p/project-zero/issues/detail?id=1710>). I am >>> doing this by creating systems that mutate the V8 graph and add >>> pass-through "assertion" nodes that verify that the actual type of a value >>> at runtime indeed matches the type computed by TurboFan's typer. >>> >>> One of the systems I have built runs in pipeline.cc and adds a "range >>> checking node" after every inferred range analysis, which verifies that >>> V8's typer system correctly computes ranges in the Typer phase. This is >>> very similar to existing functionality in other JITs such as IonMonkey >>> <https://dxr.mozilla.org/mozilla-central/source/js/src/jit/RangeAnalysis.cpp?q=rangeanalysis.cpp&redirect_type=direct#2375>, >>> >>> which already use this to catch bugs in range analysis that can lead to >>> security vulnerabilities. >>> >>> I have verified that my system catches artificially introduced errors in >>> range computation, and does not introduce false positives in existing >>> tests. It is accessible through an optional d8 command-line flag, so it can >>> be used in the fuzzer. >>> >>> I think this range checking would be useful for catching range >>> analysis-related security vulnerabilities in the future, especially given >>> that it's been used in other JITs. I have working code, but before going >>> through the code submission process, I wanted to ask if there was anything >>> to be aware of independent of implementation (such as existing duplicate >>> functionality) that would be reasons not to ship this feature. >>> >>> (This is my first time contributing to V8, so my apologies if there's a >>> different way of going about this process - thank you in advance!). >>> >>> Neil >>> >>> -- >>> -- >>> v8-dev mailing list >>> [email protected] >>> http://groups.google.com/group/v8-dev >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "v8-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> >> -- >> Georg Neis >> Software Engineer >> >> Google Germany GmbH >> Erika-Mann-Straße 33 >> 80636 München >> >> Geschäftsführer: Paul Manicle, Halimah DeLaine Prado >> Registergericht und -nummer: Hamburg, HRB 86891 >> Sitz der Gesellschaft: Hamburg >> >> Diese E-Mail ist vertraulich. Falls sie diese fälschlicherweise erhalten >> haben sollten, leiten Sie diese bitte nicht an jemand anderes weiter, >> löschen Sie alle Kopien und Anhänge davon und lassen Sie mich bitte wissen, >> dass die E-Mail an die falsche Person gesendet wurde. >> >> This e-mail is confidential. If you received this communication by >> mistake, please don't forward it to anyone else, please erase all copies >> and attachments, and please let me know that it has gone to the wrong >> person. >> >
-- -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/v8-dev/82381946-369d-4d23-b139-af6aec8c5785%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
