PING [Patch][Middle-end]Add -fzero-call-used-regs=[skip|used-gpr|all-gpr|used|all]
Qing Zhao
QING.ZHAO@ORACLE.COM
Mon Aug 24 18:02:03 GMT 2020
> On Aug 24, 2020, at 12:49 PM, Segher Boessenkool <segher@kernel.crashing.org> wrote:
>
> On Wed, Aug 19, 2020 at 06:27:45PM -0500, Qing Zhao wrote:
>>> On Aug 19, 2020, at 5:57 PM, Segher Boessenkool <segher@kernel.crashing.org> wrote:
>>> Numbers on how expensive this is (for what arch, in code size and in
>>> execution time) would be useful. If it is so expensive that no one will
>>> use it, it helps security at most none at all :-(
>
> Without numbers on this, no one can determine if it is a good tradeoff
> for them. And we (the GCC people) cannot know if it will be useful for
> enough users that it will be worth the effort for us. Which is why I
> keep hammering on this point.
I can collect some run-time overhead data on this, do you have a recommendation on what test suite I can use
For this testing? (Is CPU2017 good enough)?
>
> (The other side of the coin is how much this helps prevent exploitation;
> numbers on that would be good to see, too.)
This can be well showed from the paper:
"Clean the Scratch Registers: A Way to Mitigate Return-Oriented Programming Attacks"
https://ieeexplore.ieee.org/document/8445132 <https://ieeexplore.ieee.org/document/8445132>
Please take a look at this paper.
>
>>>> So, from both run-time performance and code-size aspects, setting the
>>>> registers to zero is a better approach.
>>>
>>> From a security perspective, this isn't clear though. But that is a lot
>>> of extra research ;-)
>>
>> There has been quite some discussion on this topic at
>>
>> https://urldefense.com/v3/__https://lists.llvm.org/pipermail/cfe-dev/2020-April/065221.html__;!!GqivPVa7Brio!PFjWvu3miQeS8XQehbw1moYxXTbbRvu9MTbjQxtxad_YQQGSdZg97Dl8-c2w5Y32$ <https://urldefense.com/v3/__https://lists.llvm.org/pipermail/cfe-dev/2020-April/065221.html__;!!GqivPVa7Brio!PFjWvu3miQeS8XQehbw1moYxXTbbRvu9MTbjQxtxad_YQQGSdZg97Dl8-c2w5Y32$ >
>>
>> From those old discussion, we can see that zero value should be good enough for the security purpose (though it’s not perfect).
>
> And there has been zero proof or even any arguments from the security
> angle, only "anything other than 0 is too expensive", which isn't
> obviously true either (it isn't even cheaper than other small numbers,
> on many archs).
>
> A large fraction of function arguments is zero in valid executions, so
> zeroing them out to try to prevent exploitation attempts might not help
> so much.
Please take a look at the paper:
"Clean the Scratch Registers: A Way to Mitigate Return-Oriented Programming Attacks"
https://ieeexplore.ieee.org/document/8445132 <https://ieeexplore.ieee.org/document/8445132>
From the study, zeroing out the registers mitigate the ROP very well.
thanks.
Qing
>
>
> Segher
More information about the Gcc-patches
mailing list