This is an archive of the discontinued LLVM Phabricator instance.

Differential D44801

Add the -fsanitize=shadow-call-stack flag
ClosedPublic

Authored by vlad.tsyrklevich on Mar 22 2018, 12:46 PM.

Details

Reviewers
pcc
kcc
Commits
rGe55aa03ad460: Add the -fsanitize=shadow-call-stack flag
rC329122: Add the -fsanitize=shadow-call-stack flag
rL329122: Add the -fsanitize=shadow-call-stack flag
Summary

Add support for the -fsanitize=shadow-call-stack flag which causes clang
to add ShadowCallStack attribute to functions compiled with that flag
enabled.

Diff Detail

Event Timeline

vlad.tsyrklevich created this revision.Mar 22 2018, 12:46 PM
Harbormaster completed remote builds in B16361: Diff 139494.Mar 22 2018, 12:46 PM
Herald added a subscriber: cfe-commits. · View Herald TranscriptMar 22 2018, 12:46 PM
pcc accepted this revision.Mar 22 2018, 1:48 PM

LGTM

Please add a test for the driver functionality.

This revision is now accepted and ready to land.Mar 22 2018, 1:48 PM
vlad.tsyrklevich updated this revision to Diff 139554.Mar 22 2018, 8:51 PM
  • Add Driver tests
Harbormaster completed remote builds in B16374: Diff 139554.Mar 22 2018, 8:53 PM
kcc added a comment.Mar 22 2018, 9:50 PM

[didn't look at the code yet, just at the docs]

Please add a docs section describing how to handle leaf functions.
If they are not handled yet, no need to change the implementation in these pathches -- ok to do it later.

docs/ShadowCallStack.rst
15

prologue/epilogue?
(it's your native tongue, not mine, though)

21

Provide short comparison with RFG (more instructions, less memory, same racy attack)

39

link to wikipedia maybe?

42

... due to return branch predictor (or some such)

48

Say something about attacks that first try to discover the secret location of the shadow call stack.
side channels, thread spaying, whatever you have.

75

Please add a section that shows the assembly for the following example:

int foo() {
   return bar() + 1;
}
kcc added a comment.Mar 22 2018, 9:53 PM

please also add a short comparison with Intel CET.

vlad.tsyrklevich updated this revision to Diff 139652.Mar 23 2018, 2:09 PM
vlad.tsyrklevich marked 6 inline comments as done.
  • Address Kostya's documentation feedback
Harbormaster completed remote builds in B16400: Diff 139652.Mar 23 2018, 2:09 PM
kcc accepted this revision.Mar 27 2018, 5:14 PM

LGTM modulo prolog vs prlogue and epilog vs epilogue

https://en.wiktionary.org/wiki/epilog says these are alternative spellings, so up to you.

docs/ShadowCallStack.rst
15

PTAL

cryptoad added a subscriber: cryptoad.Mar 28 2018, 8:17 AM
vlad.tsyrklevich added inline comments.Mar 28 2018, 11:31 AM
docs/ShadowCallStack.rst
15

Forgot to submit this comment: It's used both ways across LLVM but I chose to go with this one just because that's how the PrologEpilogInserter pass wrote it.

vlad.tsyrklevich updated this revision to Diff 140868.Apr 3 2018, 3:29 PM
  • Small test, doc updates
Harbormaster completed remote builds in B16691: Diff 140868.Apr 3 2018, 3:29 PM
Closed by commit rL329122: Add the -fsanitize=shadow-call-stack flag (authored by vlad.tsyrklevich). · Explain WhyApr 3 2018, 3:39 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: llvm-commits. · View Herald TranscriptApr 3 2018, 3:39 PM
MaskRay added a subscriber: MaskRay.May 27 2020, 10:31 AM
MaskRay added inline comments.
cfe/trunk/test/Driver/sanitizer-ld.c
563 ↗(On Diff #140869)

sanitizer-ld.c is for linker option tests. This merely checks incompatibility of compile flags and fsanitize.c may be more suitable.

Herald added a subscriber: arphaman. · View Herald TranscriptMay 27 2020, 10:31 AM

Revision Contents

PathSize
docs/
74 lines
1 line
include/
clang/
Basic/
3 lines
lib/
CodeGen/
4 lines
2 lines
Driver/
5 lines
2 lines
Lex/
2 lines
test/
CodeGen/
12 lines

Diff 139494

docs/ShadowCallStack.rst

  • This file was added.
===============
ShadowCallStack
===============
.. contents::
:local:
Introduction
============
ShadowCallStack is an experimental instrumentation pass, currently only
implemented for x86_64, that protects programs against attacks based on stack
buffer overflows. It works by saving a function's return address to a
separately allocated 'shadow call stack' in the function prolog and checking the
return address on the stack against the shadow call stack in the function
kccUnsubmitted
Done
ReplyInline Actions

prologue/epilogue?
(it's your native tongue, not mine, though)

kcc: prologue/epilogue? (it's your native tongue, not mine, though)
kccUnsubmitted
Not Done
ReplyInline Actions

PTAL

kcc: PTAL
vlad.tsyrklevichAuthorUnsubmitted
Not Done
ReplyInline Actions

Forgot to submit this comment: It's used both ways across LLVM but I chose to go with this one just because that's how the PrologEpilogInserter pass wrote it.

vlad.tsyrklevich: Forgot to submit this comment: It's used both ways across LLVM but I chose to go with this one…
epilog. To optimize for memory consumption and cache locality, the shadow call
stack stores an index followed by an array of return addresses. This is in
contrast to other schemes, like :doc:`SafeStack`, that mirror the entire stack
and trade-off consuming more memory for shorter function prologs and epilogs
with fewer memory accesses.
kccUnsubmitted
Done
ReplyInline Actions

Provide short comparison with RFG (more instructions, less memory, same racy attack)

kcc: Provide short comparison with RFG (more instructions, less memory, same racy attack)
Compatibility
-------------
ShadowCallStack currently only supports x86_64. A runtime is not currently
provided in compiler-rt so one must be provided by the compiled application.
Security
--------
ShadowCallStack is intended to be a stronger alternative to `-fstack-protector`.
It protects from non-linear overflows and arbitrary memory writes to the return
address slot; however, similarly to `-fstack-protector` this protection suffers
from race conditions because of the call-return semantics on x86_64. There is a
short race between the call instruction and the first instruction in the
function that reads the return address where an attacker could overwrite the
return address and bypass ShadowCallStack. Similarly, there is a time-of-check-
to-time-of-use race in the function prolog where an attacker could overwrite the
return address after it has been checked and before it has been returned to.
kccUnsubmitted
Done
ReplyInline Actions

link to wikipedia maybe?

kcc: link to wikipedia maybe?
Modifying the call-return semantics to fix this on x86_64 would incur an
unacceptable performance overhead.
kccUnsubmitted
Done
ReplyInline Actions

... due to return branch predictor (or some such)

kcc: ... due to return branch predictor (or some such)
The instrumentation makes use of the `gs` segment register to reference the
shadow call stack. This means that references to the shadow call stack do not
have to be written to memory and attackers that can read arbitrary memory can
not easily leak its address.
Usage
kccUnsubmitted
Done
ReplyInline Actions

Say something about attacks that first try to discover the secret location of the shadow call stack.
side channels, thread spaying, whatever you have.

kcc: Say something about attacks that first try to discover the secret location of the shadow call…
=====
To enable ShadowCallStack, just pass ``-fsanitize=shadow-call-stack`` flag to
both compile and link command lines.
``__has_feature(shadow_call_stack)``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In some cases one may need to execute different code depending on whether
ShadowCallStack is enabled. The macro ``__has_feature(shadow_call_stack)`` can
be used for this purpose.
.. code-block:: c
#if defined(__has_feature)
# if __has_feature(shadow_call_stack)
// code that builds only under ShadowCallStack
# endif
#endif
``__attribute__((no_sanitize("shadow-call-stack")))``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use ``__attribute__((no_sanitize("shadow-call-stack")))`` on a function
declaration to specify that the shadow call stack instrumentation should not be
applied to that function, even if enabled globally.
kccUnsubmitted
Done
ReplyInline Actions

Please add a section that shows the assembly for the following example:

int foo() {
   return bar() + 1;
}
kcc: Please add a section that shows the assembly for the following example: int foo() {…

docs/index.rst

Show All 30 Lines.. toctree::
DataFlowSanitizer DataFlowSanitizer
LeakSanitizer LeakSanitizer
SanitizerCoverage SanitizerCoverage
SanitizerStats SanitizerStats
SanitizerSpecialCaseList SanitizerSpecialCaseList
ControlFlowIntegrity ControlFlowIntegrity
LTOVisibility LTOVisibility
SafeStack SafeStack
ShadowCallStack
SourceBasedCodeCoverage SourceBasedCodeCoverage
Modules Modules
MSVCCompatibility MSVCCompatibility
OpenMPSupport OpenMPSupport
ThinLTO ThinLTO
CommandGuide/index CommandGuide/index
FAQ FAQ
▲ Show 20 LinesShow All 51 LinesShow Last 20 Lines

include/clang/Basic/Sanitizers.def

Show First 20 LinesShow All 104 Lines▼ Show 20 Lines
SANITIZER("cfi-vcall", CFIVCall) SANITIZER("cfi-vcall", CFIVCall)
SANITIZER_GROUP("cfi", CFI, SANITIZER_GROUP("cfi", CFI,
CFIDerivedCast | CFIICall | CFIUnrelatedCast | CFINVCall | CFIDerivedCast | CFIICall | CFIUnrelatedCast | CFINVCall |
CFIVCall) CFIVCall)
// Safe Stack // Safe Stack
SANITIZER("safe-stack", SafeStack) SANITIZER("safe-stack", SafeStack)
// Shadow Call Stack
SANITIZER("shadow-call-stack", ShadowCallStack)
// -fsanitize=undefined includes all the sanitizers which have low overhead, no // -fsanitize=undefined includes all the sanitizers which have low overhead, no
// ABI or address space layout implications, and only catch undefined behavior. // ABI or address space layout implications, and only catch undefined behavior.
SANITIZER_GROUP("undefined", Undefined, SANITIZER_GROUP("undefined", Undefined,
Alignment | Bool | Builtin | ArrayBounds | Enum | Alignment | Bool | Builtin | ArrayBounds | Enum |
FloatCastOverflow | FloatDivideByZero | FloatCastOverflow | FloatDivideByZero |
IntegerDivideByZero | NonnullAttribute | Null | ObjectSize | IntegerDivideByZero | NonnullAttribute | Null | ObjectSize |
PointerOverflow | Return | ReturnsNonnullAttribute | Shift | PointerOverflow | Return | ReturnsNonnullAttribute | Shift |
SignedIntegerOverflow | Unreachable | VLABound | Function | SignedIntegerOverflow | Unreachable | VLABound | Function |
Show All 28 Lines

lib/CodeGen/CGDeclCXX.cpp

Show First 20 LinesShow All 337 Lines▼ Show 20 Linesllvm::Function *CodeGenModule::CreateGlobalInitOrDestructFunction(
if (getLangOpts().Sanitize.has(SanitizerKind::Memory) && if (getLangOpts().Sanitize.has(SanitizerKind::Memory) &&
!isInSanitizerBlacklist(SanitizerKind::Memory, Fn, Loc)) !isInSanitizerBlacklist(SanitizerKind::Memory, Fn, Loc))
Fn->addFnAttr(llvm::Attribute::SanitizeMemory); Fn->addFnAttr(llvm::Attribute::SanitizeMemory);
if (getLangOpts().Sanitize.has(SanitizerKind::SafeStack) && if (getLangOpts().Sanitize.has(SanitizerKind::SafeStack) &&
!isInSanitizerBlacklist(SanitizerKind::SafeStack, Fn, Loc)) !isInSanitizerBlacklist(SanitizerKind::SafeStack, Fn, Loc))
Fn->addFnAttr(llvm::Attribute::SafeStack); Fn->addFnAttr(llvm::Attribute::SafeStack);
if (getLangOpts().Sanitize.has(SanitizerKind::ShadowCallStack) &&
!isInSanitizerBlacklist(SanitizerKind::ShadowCallStack, Fn, Loc))
Fn->addFnAttr(llvm::Attribute::ShadowCallStack);
return Fn; return Fn;
} }
/// Create a global pointer to a function that will initialize a global /// Create a global pointer to a function that will initialize a global
/// variable. The user has requested that this pointer be emitted in a specific /// variable. The user has requested that this pointer be emitted in a specific
/// section. /// section.
void CodeGenModule::EmitPointerToInitFunc(const VarDecl *D, void CodeGenModule::EmitPointerToInitFunc(const VarDecl *D,
llvm::GlobalVariable *GV, llvm::GlobalVariable *GV,
▲ Show 20 LinesShow All 322 LinesShow Last 20 Lines

lib/CodeGen/CodeGenFunction.cpp

Show First 20 LinesShow All 855 Lines▼ Show 20 Lines#undef SANITIZER
if (SanOpts.hasOneOf(SanitizerKind::HWAddress)) if (SanOpts.hasOneOf(SanitizerKind::HWAddress))
Fn->addFnAttr(llvm::Attribute::SanitizeHWAddress); Fn->addFnAttr(llvm::Attribute::SanitizeHWAddress);
if (SanOpts.has(SanitizerKind::Thread)) if (SanOpts.has(SanitizerKind::Thread))
Fn->addFnAttr(llvm::Attribute::SanitizeThread); Fn->addFnAttr(llvm::Attribute::SanitizeThread);
if (SanOpts.has(SanitizerKind::Memory)) if (SanOpts.has(SanitizerKind::Memory))
Fn->addFnAttr(llvm::Attribute::SanitizeMemory); Fn->addFnAttr(llvm::Attribute::SanitizeMemory);
if (SanOpts.has(SanitizerKind::SafeStack)) if (SanOpts.has(SanitizerKind::SafeStack))
Fn->addFnAttr(llvm::Attribute::SafeStack); Fn->addFnAttr(llvm::Attribute::SafeStack);
if (SanOpts.has(SanitizerKind::ShadowCallStack))
Fn->addFnAttr(llvm::Attribute::ShadowCallStack);
// Ignore TSan memory acesses from within ObjC/ObjC++ dealloc, initialize, // Ignore TSan memory acesses from within ObjC/ObjC++ dealloc, initialize,
// .cxx_destruct, __destroy_helper_block_ and all of their calees at run time. // .cxx_destruct, __destroy_helper_block_ and all of their calees at run time.
if (SanOpts.has(SanitizerKind::Thread)) { if (SanOpts.has(SanitizerKind::Thread)) {
if (const auto *OMD = dyn_cast_or_null<ObjCMethodDecl>(D)) { if (const auto *OMD = dyn_cast_or_null<ObjCMethodDecl>(D)) {
IdentifierInfo *II = OMD->getSelector().getIdentifierInfoForSlot(0); IdentifierInfo *II = OMD->getSelector().getIdentifierInfoForSlot(0);
if (OMD->getMethodFamily() == OMF_dealloc || if (OMD->getMethodFamily() == OMF_dealloc ||
OMD->getMethodFamily() == OMF_initialize || OMD->getMethodFamily() == OMF_initialize ||
▲ Show 20 LinesShow All 1,515 LinesShow Last 20 Lines

lib/Driver/SanitizerArgs.cpp

Show First 20 LinesShow All 337 Lines▼ Show 20 Lines std::pair<SanitizerMask, SanitizerMask> IncompatibleGroups[] = {
std::make_pair(Leak, Thread | Memory), std::make_pair(Leak, Thread | Memory),
std::make_pair(KernelAddress, Address | Leak | Thread | Memory), std::make_pair(KernelAddress, Address | Leak | Thread | Memory),
std::make_pair(HWAddress, Address | Thread | Memory | KernelAddress), std::make_pair(HWAddress, Address | Thread | Memory | KernelAddress),
std::make_pair(Efficiency, Address | HWAddress | Leak | Thread | Memory | std::make_pair(Efficiency, Address | HWAddress | Leak | Thread | Memory |
KernelAddress), KernelAddress),
std::make_pair(Scudo, Address | HWAddress | Leak | Thread | Memory | std::make_pair(Scudo, Address | HWAddress | Leak | Thread | Memory |
KernelAddress | Efficiency), KernelAddress | Efficiency),
std::make_pair(SafeStack, Address | HWAddress | Leak | Thread | Memory | std::make_pair(SafeStack, Address | HWAddress | Leak | Thread | Memory |
KernelAddress | Efficiency)}; KernelAddress | Efficiency),
std::make_pair(ShadowCallStack, Address | HWAddress | Leak | Thread |
Memory | KernelAddress | Efficiency |
SafeStack)};
// Enable toolchain specific default sanitizers if not explicitly disabled. // Enable toolchain specific default sanitizers if not explicitly disabled.
SanitizerMask Default = TC.getDefaultSanitizers() & ~AllRemove; SanitizerMask Default = TC.getDefaultSanitizers() & ~AllRemove;
// Disable default sanitizers that are incompatible with explicitly requested // Disable default sanitizers that are incompatible with explicitly requested
// ones. // ones.
for (auto G : IncompatibleGroups) { for (auto G : IncompatibleGroups) {
SanitizerMask Group = G.first; SanitizerMask Group = G.first;
▲ Show 20 LinesShow All 612 LinesShow Last 20 Lines

lib/Driver/ToolChain.cpp

Show First 20 LinesShow All 808 Lines▼ Show 20 Lines SanitizerMask Res = (Undefined & ~Vptr & ~Function) | (CFI & ~CFIICall) |
LocalBounds; LocalBounds;
if (getTriple().getArch() == llvm::Triple::x86 || if (getTriple().getArch() == llvm::Triple::x86 ||
getTriple().getArch() == llvm::Triple::x86_64 || getTriple().getArch() == llvm::Triple::x86_64 ||
getTriple().getArch() == llvm::Triple::arm || getTriple().getArch() == llvm::Triple::arm ||
getTriple().getArch() == llvm::Triple::aarch64 || getTriple().getArch() == llvm::Triple::aarch64 ||
getTriple().getArch() == llvm::Triple::wasm32 || getTriple().getArch() == llvm::Triple::wasm32 ||
getTriple().getArch() == llvm::Triple::wasm64) getTriple().getArch() == llvm::Triple::wasm64)
Res |= CFIICall; Res |= CFIICall;
if (getTriple().getArch() == llvm::Triple::x86_64)
Res |= ShadowCallStack;
return Res; return Res;
} }
void ToolChain::AddCudaIncludeArgs(const ArgList &DriverArgs, void ToolChain::AddCudaIncludeArgs(const ArgList &DriverArgs,
ArgStringList &CC1Args) const {} ArgStringList &CC1Args) const {}
void ToolChain::AddIAMCUIncludeArgs(const ArgList &DriverArgs, void ToolChain::AddIAMCUIncludeArgs(const ArgList &DriverArgs,
ArgStringList &CC1Args) const {} ArgStringList &CC1Args) const {}
▲ Show 20 LinesShow All 121 LinesShow Last 20 Lines

lib/Lex/PPMacroExpansion.cpp

Show First 20 LinesShow All 1,269 Lines▼ Show 20 Lines return llvm::StringSwitch<bool>(Feature)
.Case("is_sealed", LangOpts.CPlusPlus && LangOpts.MicrosoftExt) .Case("is_sealed", LangOpts.CPlusPlus && LangOpts.MicrosoftExt)
.Case("is_trivial", LangOpts.CPlusPlus) .Case("is_trivial", LangOpts.CPlusPlus)
.Case("is_trivially_assignable", LangOpts.CPlusPlus) .Case("is_trivially_assignable", LangOpts.CPlusPlus)
.Case("is_trivially_constructible", LangOpts.CPlusPlus) .Case("is_trivially_constructible", LangOpts.CPlusPlus)
.Case("is_trivially_copyable", LangOpts.CPlusPlus) .Case("is_trivially_copyable", LangOpts.CPlusPlus)
.Case("is_union", LangOpts.CPlusPlus) .Case("is_union", LangOpts.CPlusPlus)
.Case("modules", LangOpts.Modules) .Case("modules", LangOpts.Modules)
.Case("safe_stack", LangOpts.Sanitize.has(SanitizerKind::SafeStack)) .Case("safe_stack", LangOpts.Sanitize.has(SanitizerKind::SafeStack))
.Case("shadow_call_stack",
LangOpts.Sanitize.has(SanitizerKind::ShadowCallStack))
.Case("tls", PP.getTargetInfo().isTLSSupported()) .Case("tls", PP.getTargetInfo().isTLSSupported())
.Case("underlying_type", LangOpts.CPlusPlus) .Case("underlying_type", LangOpts.CPlusPlus)
.Default(false); .Default(false);
} }
/// HasExtension - Return true if we recognize and implement the feature /// HasExtension - Return true if we recognize and implement the feature
/// specified by the identifier, either as an extension or a standard language /// specified by the identifier, either as an extension or a standard language
/// feature. /// feature.
▲ Show 20 LinesShow All 733 LinesShow Last 20 Lines

test/CodeGen/shadowcallstack-attr.c

  • This file was added.
// RUN: %clang_cc1 -triple x86_64-linux-unknown -emit-llvm -o - %s -fsanitize=shadow-call-stack | FileCheck %s
__attribute__((no_sanitize("shadow-call-stack")))
int foo(int *a) { return *a; }
int bar(int *a) { return *a; }
// CHECK: define i32 @foo(i32* %a) #[[FOO_ATTR:[0-9]+]] {
// CHECK: define i32 @bar(i32* %a) #[[BAR_ATTR:[0-9]+]] {
// CHECK-NOT: attributes #[[FOO_ATTR]] = { {{.*}}shadowcallstack{{.*}} }
// CHECK: attributes #[[BAR_ATTR]] = { {{.*}}shadowcallstack{{.*}} }