PING [Patch][Middle-end]Add -fzero-call-used-regs=[skip|used-gpr|all-gpr|used|all]
Segher Boessenkool
segher@kernel.crashing.org
Mon Aug 24 17:49:29 GMT 2020
On Wed, Aug 19, 2020 at 06:27:45PM -0500, Qing Zhao wrote:
> > On Aug 19, 2020, at 5:57 PM, Segher Boessenkool <segher@kernel.crashing.org> wrote:
> > Numbers on how expensive this is (for what arch, in code size and in
> > execution time) would be useful. If it is so expensive that no one will
> > use it, it helps security at most none at all :-(
Without numbers on this, no one can determine if it is a good tradeoff
for them. And we (the GCC people) cannot know if it will be useful for
enough users that it will be worth the effort for us. Which is why I
keep hammering on this point.
(The other side of the coin is how much this helps prevent exploitation;
numbers on that would be good to see, too.)
> >> So, from both run-time performance and code-size aspects, setting the
> >> registers to zero is a better approach.
> >
> > From a security perspective, this isn't clear though. But that is a lot
> > of extra research ;-)
>
> There has been quite some discussion on this topic at
>
> https://lists.llvm.org/pipermail/cfe-dev/2020-April/065221.html <https://lists.llvm.org/pipermail/cfe-dev/2020-April/065221.html>
>
> From those old discussion, we can see that zero value should be good enough for the security purpose (though it’s not perfect).
And there has been zero proof or even any arguments from the security
angle, only "anything other than 0 is too expensive", which isn't
obviously true either (it isn't even cheaper than other small numbers,
on many archs).
A large fraction of function arguments is zero in valid executions, so
zeroing them out to try to prevent exploitation attempts might not help
so much.
Segher
More information about the Gcc-patches
mailing list