Page MenuHomePhabricator

Insert random noops to increase security against ROP attacks (clang)
ClosedPublic

Authored by rinon on Apr 15 2014, 10:58 PM.

Details

Reviewers
yln
ahomescu
jfb
Summary

A pass that adds random noops to X86 binaries to introduce diversity with the goal of increasing security against most return-oriented programming attacks.

Command line options:

-noop-insertion // Enable noop insertion.
-noop-insertion-percentage=X // X% of assembly instructions will have a noop prepended (default: 50%, requires -noop-insertion)
-max-noops-per-instruction=X // Randomly generate X noops per instruction. ie. roll the dice X times with probability set above (default: 1). This doesn't guarantee X noop instructions.

In addition, the following 'quick switch' in clang enables basic diversity using default settings (currently: noop insertion and schedule randomization; it is intended to be extended in the future).

-fdiversify

This is the clang part of the patch.
llvm part: D3392

Diff Detail

Event Timeline

jfb added inline comments.Apr 17 2014, 4:04 PM
include/clang/Driver/CC1Options.td
171

Why is this a cc1 option?

It also seems like it should be in Group<m_x86_Features_Group> since it's not available on other architectures? Although see my comment on the LLVM side, I think you can make this non-x86 specific.

rinon commandeered this revision.Dec 19 2014, 1:41 PM
rinon edited reviewers, added: yln; removed: rinon.

Commandeered to update in step with D3392.

rinon edited edge metadata.Dec 19 2014, 1:41 PM
rinon added a subscriber: Unknown Object (MLST).
rinon updated this revision to Diff 17512.Dec 19 2014, 1:42 PM
rinon removed a subscriber: Unknown Object (MLST).
  • Added current version of multicompiler changes for clang.
  • Removed unnecessary include.
  • Remove unused field.
  • Refine construction of salt string.
  • Removed RNG salting from clang.
  • Remove stray reference to RNG header
  • Remove schedule randomization option
  • Rebase onto latest LLVM master
rinon added a subscriber: Unknown Object (MLST).Dec 19 2014, 1:42 PM

Sorry about the cfe-commits de/re-subscription, not sure what happened. Arc misbehaved on me.

rinon updated this revision to Diff 17514.Dec 19 2014, 1:45 PM
  • Whitespace
  • Fix -noop-insertion backend option name
rinon updated this revision to Diff 17516.Dec 19 2014, 1:48 PM
  • More whitespace fixes
rinon added inline comments.Dec 19 2014, 1:51 PM
include/clang/Driver/CC1Options.td
198

I think this should be a CC1 option to simplify the "public" interface to just -fdiversify. However, I'm completely open to switching this to a frontend option instead.

rinon added a reviewer: jfb.Dec 19 2014, 1:51 PM
jfb edited edge metadata.Dec 19 2014, 3:32 PM

Can you update the description to use "noop" instead of "nop"? I don't really care either way, but it should be consistent with the code.

It also looks like this patch only passes -noop-insertion to LLVM, not the other 2?

I recommend seeking an LGTM from a person more familiar with clang that I am. This looks OK to my untrained eye, but I'd not at all familiar with clang's code base.

rinon updated this object.Dec 29 2014, 12:46 PM
rinon edited edge metadata.
rinon retitled this revision from Insert random NOPs to increase security against ROP attacks (clang) to Insert random noops to increase security against ROP attacks (clang).
rinon added a comment.Jan 5 2015, 4:35 PM

Ping. Anyone more familiar with clang who can take a quick look at
this patch? Just a couple flags getting passed through to the backend.

Thanks,
Stephen

jfb added a comment.Jan 12 2015, 12:52 PM

No comments yet, I'm going to assume this is good to go and commit it soon.

jfb accepted this revision.Jan 13 2015, 5:10 PM
jfb edited edge metadata.

r225910

This revision is now accepted and ready to land.Jan 13 2015, 5:10 PM
jfb closed this revision.Jan 13 2015, 5:11 PM