PING [Patch][Middle-end]Add -fzero-call-used-regs=[skip|used-gpr|all-gpr|used|all]
Kees Cook
keescook@chromium.org
Thu Sep 10 19:07:00 GMT 2020
[tried to clean up quoting...]
On Tue, Sep 08, 2020 at 10:00:09AM -0500, Qing Zhao wrote:
>
> > On Sep 7, 2020, at 8:06 AM, Rodriguez Bahena, Victor <victor.rodriguez.bahena@intel.com> wrote:
> >
> >>> On Thu, Sep 03, 2020 at 09:29:54AM -0500, Qing Zhao wrote:
> >>> So, my question is:
> >>>
> >>> From the security point of view, does clearing ALL registers have more benefit than clearing USED registers?
> >>> From my understanding, clearing registers that are not used in the current routine does NOT provide additional benefit, correct me if I am wrong here.
> >
> > You are right, it does not provide additional security
>
> Then, is it necessary to provide
>
> -fzero-call-used-regs=all-arg|all-gpr|all to the user?
>
> Can we just delete these 3 sub options?
Well... I'd say there is some benefit (remember that ROP gadgets are
built from function trailers, so there is rarely a concern over what the
rest of the function is doing). Generally, they are chained together
based on just the last couple instructions:
*useful action*
*ret*
So with ...=used this turns into:
*useful action*
*clear some registers*
*ret*
Which may still be helpful (if, for example, the state being built by
the attacker is using registers _not_ in the cleared list). However:
*useful action*
*clear all registers*
*ret*
Means that suddenly the ROP chain cannot use *any* of the caller-saved
registers to hold state.
So, while ...=used is likely going to block a lot, ...=all will block
even more. I'd prefer to have both available, if for no other reason
than to compare the ROP gadget availability for any given binary (e.g.
if some future attack is found that bypasses ...=used, does it also
bypass ...=all?)
--
Kees Cook
More information about the Gcc-patches
mailing list