This is the mail archive of the gcc-patches@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[PATCH] Vtable pointer verification (corruption/attach detection -- new feature

From: Caroline Tice <cmtice at google dot com>
To: gcc-patches at gcc dot gnu dot org
Date: Thu, 1 Nov 2012 13:07:22 -0700
Subject: [PATCH] Vtable pointer verification (corruption/attach detection -- new feature

We have been developing a new security hardening feature for GCC that
is designed to detect and handle (during program execution) when a
vtable pointer that is about to be used for a virtual function call is
not a valid vtable pointer for that call (i.e. it has become
corrupted, possibly due to a  hacker attack).  We gave a presentation
on this work at the Gnu Tools Cauldron in Prague last July.  We now
have the implementation fully working and are submitting this patch
for review.  We would like to get this into the next release of GCC if
possible.

The general idea is to collect class hierarchy and vtable pointer data
while parsing the classes, then use this data to generate (at runtime)
sets of valid vtable pointers, one for each class.  We also find every
virtual function call and insert a verification call before the
virtual function call.  The verification call takes the set of valid
vtable pointers for the declared class of the object, and the actual
vtable pointer in the object.  If the vtable pointer in the object is
in the set of valid vtable pointers for the object, then verification
succeeds and the virtual call is allowed.  Otherwise verification
fails and the program aborts.

We have a written a more detailed design document, which I am also
attaching to this email (GCCVtableSecurityHardeningProposal.txt).

The implementation can be divided into roughly two parts:
modifications to the main gcc compiler, for things that happen at
compile time (collecting the class hierarchy & vtable information;
generating the runtime calls to build the data sets from this data;
inserting calls to the verification function); and modifications to
the runtime, i.e. functions that go into libstdc++ for building the
data sets, for doing the verification against the data sets, for
protecting the memory where the data sets reside, etc.).

Please let me know if there is any more information you need, or if
you have any questions about this patch.

-- Caroline Tice
cmtice@google.com

libstdc++/ChangeLog

2012-11-01  Caroline Tice  <cmtice@google.com>

        * src/Makefile.am: Add libvtv___la_LIBDD definition; update CXXLINK
        to search in libvtv___la_LIBADD and to link in libvtv_init.
        * src/Makefile.in: Regenerate.
        * libsupc++/Makefile.am: Add libvtv_init.la and libvtv_stubs.la to
        toolexeclib_LTLIBRARIES.  Add vtv_rts.cc, vtv_malloc.cc and
        vtv_utils.cc to sources.  Define vtv_init_sources and
        vtv_stubs_sources.  Also define libvtv_init_la_SOURCES and
        libvtv_stubs_la_sources.
        * libsupc++/Makefile.in: Regenerate.
        * libsupc++/vtv_rts.cc: New file.
        * libsupc++/vtv_malloc.h: New file.
        * libsupc++/vtv_rts.h: New file.
        * libsupc++/vtv_fail.h: New file.
        * libsupc++/vtv_set.h: New file.
        * libsupc++/vtv_stubs.cc: New file.
        * libsupc++/vtv_utils.cc: New file.
        * libcupc++/vtv_utils.h: New file.
        * libsupc++/vtv_init.cc: New file.
        * libsupc++/vtv_malloc.cc: New file.
        * config/abi/pre/gnu.ver (GLIBCXX_3.4.18): Add vtable verification
        functions and vtable map variables to library export list.

gcc/ChangeLog:

2012-11-01  Caroline Tice  <cmtice@google.com>

        * tree.h (save_vtable_map_decl): New function decl.
        * tree-pass.h (pass_vtable_verify): New pass declaration.
        * cp/init.c (build_vtbl_address): Remove 'static' qualifier from
        function declaration and definition.
        * cp/class.c (finish_struct_1):  Add call to vtv_save_class_info,
        if the vtable verify flag is set.
        * cp/Make-lang.in: Add vtable-class-hierarchy.o to list of object
        files.  Add definition for building vtable-class-hierarchy.o.
        * cp/pt.c (mark_class_instantiated):  Add call to vtv_save_class_info
        if the vtable verify flag is set.
        * cp/decl2 (start_objects): Remove 'static' qualifier from function
        declaratin and definition.  Add new paramater, 'extra_name'.  Change
        'type' var from char array to char *.  Call xmalloc & free for 'type'.
        Add 'extra_name' to 'type' string.
        (finish_objects): Remove 'static' qualifier from function declaration
        and definition. Change return type from void to tree.  Make function
        return early if we're doing vtable verification and the function is
        a vtable verification constructor init function.  Make this function
        return 'fn'.
        (generate_ctor_or_dtor_function):  Add third argument to calls to
        start_objects.
        (cp_write_global_declarations):  Add calls to vtv_recover_class_info,
        vtv_compute_class_hierarchy_transitive_closure, and
        vtv_generate_init_routine, if the vtable verify flag is set.
        * cp/config-lang.in (gtfiles): Add vtable-class-hierarchy.c to the
        list of gtfiles.
        * cp/vtable-class-hierarchy.c: New file.
        * cp/mangle.c (get_mangled_id): Remove static qualifier from function
        definition.
        * cp/cp-tree.h:  Add extern function declarations for start_objects,
        finish_objects, build_vtbl_address, get_mangled_id,
        vtv_compute_class_hierarchy_transitive_closure,
        vtv_generate_init_routine, vtv_save_class_info and
        vtv_recover_class_info.
        * timevar.def: Add TV_VTABLE_VERIFICATION.
        * flag-types.h: Add enum vtv_priority defintion.
        * tree-vtable-verify.c: New file.
        * tree-vtable-verify.h: New file.
        * common.opt:  Add definitions for fvtable-verify= and its string
        options (vtv_priority enum values).
        * varasm.c (assemble_variable):  Check to see if the variable is a
        vtable map variable, and if so, put it into the vtable map variable
        section, and make it comdat.
        (assemble_vtv_preinit_initializer): New function, to put the
        vtable verification constructor initialization function in the preinit
        array, if appropriate.
        * output.h: Add extern declaration for
        assemble_vtv_preinit_initializer.
        * Makefile.in: Add tree-vtable-verify.o to list of OBJS.  Add build
        rule for tree-vtable-verify.o Add tre-vtable-verify.c to list of source
        files.
        * passes.c (init_optimization_passes): Add pass_vtable_verify.

Attachment: GCCVtableSecurityHardeningProposal.txt
Description: Text document

Attachment: fsf-vtable-verification.patch
Description: Binary data

Follow-Ups:
- Re: [PATCH] Vtable pointer verification (corruption/attach detection -- new feature
  - From: Xinliang David Li

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]