Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
//===-- SafeStack.cpp - Safe Stack Insertion ------------------------------===//
|
|
|
|
//
|
|
|
|
// The LLVM Compiler Infrastructure
|
|
|
|
//
|
|
|
|
// This file is distributed under the University of Illinois Open Source
|
|
|
|
// License. See LICENSE.TXT for details.
|
|
|
|
//
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
//
|
|
|
|
// This pass splits the stack into the safe stack (kept as-is for LLVM backend)
|
|
|
|
// and the unsafe stack (explicitly allocated and managed through the runtime
|
|
|
|
// support library).
|
|
|
|
//
|
|
|
|
// http://clang.llvm.org/docs/SafeStack.html
|
|
|
|
//
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
|
|
#include "llvm/Transforms/Instrumentation.h"
|
|
|
|
#include "llvm/ADT/Statistic.h"
|
|
|
|
#include "llvm/ADT/Triple.h"
|
|
|
|
#include "llvm/Analysis/AliasAnalysis.h"
|
2015-09-23 18:07:56 +00:00
|
|
|
#include "llvm/CodeGen/Passes.h"
|
Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
#include "llvm/IR/Constants.h"
|
|
|
|
#include "llvm/IR/DataLayout.h"
|
|
|
|
#include "llvm/IR/DerivedTypes.h"
|
|
|
|
#include "llvm/IR/DIBuilder.h"
|
|
|
|
#include "llvm/IR/Function.h"
|
|
|
|
#include "llvm/IR/InstIterator.h"
|
|
|
|
#include "llvm/IR/Instructions.h"
|
|
|
|
#include "llvm/IR/IntrinsicInst.h"
|
|
|
|
#include "llvm/IR/Intrinsics.h"
|
|
|
|
#include "llvm/IR/IRBuilder.h"
|
|
|
|
#include "llvm/IR/Module.h"
|
|
|
|
#include "llvm/Pass.h"
|
|
|
|
#include "llvm/Support/CommandLine.h"
|
|
|
|
#include "llvm/Support/Debug.h"
|
|
|
|
#include "llvm/Support/Format.h"
|
|
|
|
#include "llvm/Support/MathExtras.h"
|
|
|
|
#include "llvm/Support/raw_os_ostream.h"
|
2015-09-23 18:07:56 +00:00
|
|
|
#include "llvm/Target/TargetLowering.h"
|
|
|
|
#include "llvm/Target/TargetSubtargetInfo.h"
|
Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
#include "llvm/Transforms/Utils/Local.h"
|
|
|
|
#include "llvm/Transforms/Utils/ModuleUtils.h"
|
|
|
|
|
|
|
|
using namespace llvm;
|
|
|
|
|
|
|
|
#define DEBUG_TYPE "safestack"
|
|
|
|
|
2015-09-23 18:07:56 +00:00
|
|
|
static const char *const kUnsafeStackPtrVar = "__safestack_unsafe_stack_ptr";
|
|
|
|
static const char *const kUnsafeStackPtrAddrFn = "__safestack_pointer_address";
|
|
|
|
|
Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
namespace llvm {
|
|
|
|
|
|
|
|
STATISTIC(NumFunctions, "Total number of functions");
|
|
|
|
STATISTIC(NumUnsafeStackFunctions, "Number of functions with unsafe stack");
|
|
|
|
STATISTIC(NumUnsafeStackRestorePointsFunctions,
|
|
|
|
"Number of functions that use setjmp or exceptions");
|
|
|
|
|
|
|
|
STATISTIC(NumAllocas, "Total number of allocas");
|
|
|
|
STATISTIC(NumUnsafeStaticAllocas, "Number of unsafe static allocas");
|
|
|
|
STATISTIC(NumUnsafeDynamicAllocas, "Number of unsafe dynamic allocas");
|
|
|
|
STATISTIC(NumUnsafeStackRestorePoints, "Number of setjmps and landingpads");
|
|
|
|
|
|
|
|
} // namespace llvm
|
|
|
|
|
|
|
|
namespace {
|
|
|
|
|
|
|
|
/// Check whether a given alloca instruction (AI) should be put on the safe
|
|
|
|
/// stack or not. The function analyzes all uses of AI and checks whether it is
|
|
|
|
/// only accessed in a memory safe way (as decided statically).
|
|
|
|
bool IsSafeStackAlloca(const AllocaInst *AI) {
|
|
|
|
// Go through all uses of this alloca and check whether all accesses to the
|
|
|
|
// allocated object are statically known to be memory safe and, hence, the
|
|
|
|
// object can be placed on the safe stack.
|
|
|
|
|
|
|
|
SmallPtrSet<const Value *, 16> Visited;
|
|
|
|
SmallVector<const Instruction *, 8> WorkList;
|
|
|
|
WorkList.push_back(AI);
|
|
|
|
|
|
|
|
// A DFS search through all uses of the alloca in bitcasts/PHI/GEPs/etc.
|
|
|
|
while (!WorkList.empty()) {
|
|
|
|
const Instruction *V = WorkList.pop_back_val();
|
|
|
|
for (const Use &UI : V->uses()) {
|
|
|
|
auto I = cast<const Instruction>(UI.getUser());
|
|
|
|
assert(V == UI.get());
|
|
|
|
|
|
|
|
switch (I->getOpcode()) {
|
|
|
|
case Instruction::Load:
|
|
|
|
// Loading from a pointer is safe.
|
|
|
|
break;
|
|
|
|
case Instruction::VAArg:
|
|
|
|
// "va-arg" from a pointer is safe.
|
|
|
|
break;
|
|
|
|
case Instruction::Store:
|
|
|
|
if (V == I->getOperand(0))
|
|
|
|
// Stored the pointer - conservatively assume it may be unsafe.
|
|
|
|
return false;
|
|
|
|
// Storing to the pointee is safe.
|
|
|
|
break;
|
|
|
|
|
|
|
|
case Instruction::GetElementPtr:
|
|
|
|
if (!cast<const GetElementPtrInst>(I)->hasAllConstantIndices())
|
|
|
|
// GEP with non-constant indices can lead to memory errors.
|
|
|
|
// This also applies to inbounds GEPs, as the inbounds attribute
|
|
|
|
// represents an assumption that the address is in bounds, rather than
|
|
|
|
// an assertion that it is.
|
|
|
|
return false;
|
|
|
|
|
|
|
|
// We assume that GEP on static alloca with constant indices is safe,
|
|
|
|
// otherwise a compiler would detect it and warn during compilation.
|
|
|
|
|
|
|
|
if (!isa<const ConstantInt>(AI->getArraySize()))
|
|
|
|
// However, if the array size itself is not constant, the access
|
|
|
|
// might still be unsafe at runtime.
|
|
|
|
return false;
|
|
|
|
|
|
|
|
/* fallthrough */
|
|
|
|
|
|
|
|
case Instruction::BitCast:
|
|
|
|
case Instruction::IntToPtr:
|
|
|
|
case Instruction::PHI:
|
|
|
|
case Instruction::PtrToInt:
|
|
|
|
case Instruction::Select:
|
|
|
|
// The object can be safe or not, depending on how the result of the
|
|
|
|
// instruction is used.
|
|
|
|
if (Visited.insert(I).second)
|
|
|
|
WorkList.push_back(cast<const Instruction>(I));
|
|
|
|
break;
|
|
|
|
|
|
|
|
case Instruction::Call:
|
|
|
|
case Instruction::Invoke: {
|
|
|
|
// FIXME: add support for memset and memcpy intrinsics.
|
|
|
|
ImmutableCallSite CS(I);
|
|
|
|
|
|
|
|
// LLVM 'nocapture' attribute is only set for arguments whose address
|
|
|
|
// is not stored, passed around, or used in any other non-trivial way.
|
|
|
|
// We assume that passing a pointer to an object as a 'nocapture'
|
|
|
|
// argument is safe.
|
|
|
|
// FIXME: a more precise solution would require an interprocedural
|
|
|
|
// analysis here, which would look at all uses of an argument inside
|
|
|
|
// the function being called.
|
|
|
|
ImmutableCallSite::arg_iterator B = CS.arg_begin(), E = CS.arg_end();
|
|
|
|
for (ImmutableCallSite::arg_iterator A = B; A != E; ++A)
|
|
|
|
if (A->get() == V && !CS.doesNotCapture(A - B))
|
|
|
|
// The parameter is not marked 'nocapture' - unsafe.
|
|
|
|
return false;
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
default:
|
|
|
|
// The object is unsafe if it is used in any other way.
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// All uses of the alloca are safe, we can place it on the safe stack.
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
/// The SafeStack pass splits the stack of each function into the
|
|
|
|
/// safe stack, which is only accessed through memory safe dereferences
|
|
|
|
/// (as determined statically), and the unsafe stack, which contains all
|
|
|
|
/// local variables that are accessed in unsafe ways.
|
|
|
|
class SafeStack : public FunctionPass {
|
2015-09-23 18:07:56 +00:00
|
|
|
const TargetMachine *TM;
|
|
|
|
const TargetLoweringBase *TLI;
|
Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
const DataLayout *DL;
|
|
|
|
|
|
|
|
Type *StackPtrTy;
|
|
|
|
Type *IntPtrTy;
|
|
|
|
Type *Int32Ty;
|
|
|
|
Type *Int8Ty;
|
|
|
|
|
2015-09-23 18:07:56 +00:00
|
|
|
Value *UnsafeStackPtr = nullptr;
|
Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
|
|
|
|
/// Unsafe stack alignment. Each stack frame must ensure that the stack is
|
|
|
|
/// aligned to this value. We need to re-align the unsafe stack if the
|
|
|
|
/// alignment of any object on the stack exceeds this value.
|
|
|
|
///
|
|
|
|
/// 16 seems like a reasonable upper bound on the alignment of objects that we
|
|
|
|
/// might expect to appear on the stack on most common targets.
|
|
|
|
enum { StackAlignment = 16 };
|
|
|
|
|
|
|
|
/// \brief Build a constant representing a pointer to the unsafe stack
|
|
|
|
/// pointer.
|
2015-09-23 18:07:56 +00:00
|
|
|
Value *getOrCreateUnsafeStackPtr(IRBuilder<> &IRB, Function &F);
|
Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
|
|
|
|
/// \brief Find all static allocas, dynamic allocas, return instructions and
|
|
|
|
/// stack restore points (exception unwind blocks and setjmp calls) in the
|
|
|
|
/// given function and append them to the respective vectors.
|
|
|
|
void findInsts(Function &F, SmallVectorImpl<AllocaInst *> &StaticAllocas,
|
|
|
|
SmallVectorImpl<AllocaInst *> &DynamicAllocas,
|
|
|
|
SmallVectorImpl<ReturnInst *> &Returns,
|
|
|
|
SmallVectorImpl<Instruction *> &StackRestorePoints);
|
|
|
|
|
|
|
|
/// \brief Allocate space for all static allocas in \p StaticAllocas,
|
|
|
|
/// replace allocas with pointers into the unsafe stack and generate code to
|
|
|
|
/// restore the stack pointer before all return instructions in \p Returns.
|
|
|
|
///
|
|
|
|
/// \returns A pointer to the top of the unsafe stack after all unsafe static
|
|
|
|
/// allocas are allocated.
|
2015-09-23 18:07:56 +00:00
|
|
|
Value *moveStaticAllocasToUnsafeStack(IRBuilder<> &IRB, Function &F,
|
Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
ArrayRef<AllocaInst *> StaticAllocas,
|
|
|
|
ArrayRef<ReturnInst *> Returns);
|
|
|
|
|
|
|
|
/// \brief Generate code to restore the stack after all stack restore points
|
|
|
|
/// in \p StackRestorePoints.
|
|
|
|
///
|
|
|
|
/// \returns A local variable in which to maintain the dynamic top of the
|
|
|
|
/// unsafe stack if needed.
|
|
|
|
AllocaInst *
|
2015-09-24 01:23:51 +00:00
|
|
|
createStackRestorePoints(IRBuilder<> &IRB, Function &F,
|
Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
ArrayRef<Instruction *> StackRestorePoints,
|
|
|
|
Value *StaticTop, bool NeedDynamicTop);
|
|
|
|
|
|
|
|
/// \brief Replace all allocas in \p DynamicAllocas with code to allocate
|
|
|
|
/// space dynamically on the unsafe stack and store the dynamic unsafe stack
|
|
|
|
/// top to \p DynamicTop if non-null.
|
|
|
|
void moveDynamicAllocasToUnsafeStack(Function &F, Value *UnsafeStackPtr,
|
|
|
|
AllocaInst *DynamicTop,
|
|
|
|
ArrayRef<AllocaInst *> DynamicAllocas);
|
|
|
|
|
|
|
|
public:
|
|
|
|
static char ID; // Pass identification, replacement for typeid.
|
2015-09-23 18:07:56 +00:00
|
|
|
SafeStack(const TargetMachine *TM)
|
|
|
|
: FunctionPass(ID), TM(TM), TLI(nullptr), DL(nullptr) {
|
Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
initializeSafeStackPass(*PassRegistry::getPassRegistry());
|
|
|
|
}
|
2015-09-23 18:07:56 +00:00
|
|
|
SafeStack() : SafeStack(nullptr) {}
|
Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
|
2015-09-10 16:49:58 +00:00
|
|
|
void getAnalysisUsage(AnalysisUsage &AU) const override {
|
[PM/AA] Rebuild LLVM's alias analysis infrastructure in a way compatible
with the new pass manager, and no longer relying on analysis groups.
This builds essentially a ground-up new AA infrastructure stack for
LLVM. The core ideas are the same that are used throughout the new pass
manager: type erased polymorphism and direct composition. The design is
as follows:
- FunctionAAResults is a type-erasing alias analysis results aggregation
interface to walk a single query across a range of results from
different alias analyses. Currently this is function-specific as we
always assume that aliasing queries are *within* a function.
- AAResultBase is a CRTP utility providing stub implementations of
various parts of the alias analysis result concept, notably in several
cases in terms of other more general parts of the interface. This can
be used to implement only a narrow part of the interface rather than
the entire interface. This isn't really ideal, this logic should be
hoisted into FunctionAAResults as currently it will cause
a significant amount of redundant work, but it faithfully models the
behavior of the prior infrastructure.
- All the alias analysis passes are ported to be wrapper passes for the
legacy PM and new-style analysis passes for the new PM with a shared
result object. In some cases (most notably CFL), this is an extremely
naive approach that we should revisit when we can specialize for the
new pass manager.
- BasicAA has been restructured to reflect that it is much more
fundamentally a function analysis because it uses dominator trees and
loop info that need to be constructed for each function.
All of the references to getting alias analysis results have been
updated to use the new aggregation interface. All the preservation and
other pass management code has been updated accordingly.
The way the FunctionAAResultsWrapperPass works is to detect the
available alias analyses when run, and add them to the results object.
This means that we should be able to continue to respect when various
passes are added to the pipeline, for example adding CFL or adding TBAA
passes should just cause their results to be available and to get folded
into this. The exception to this rule is BasicAA which really needs to
be a function pass due to using dominator trees and loop info. As
a consequence, the FunctionAAResultsWrapperPass directly depends on
BasicAA and always includes it in the aggregation.
This has significant implications for preserving analyses. Generally,
most passes shouldn't bother preserving FunctionAAResultsWrapperPass
because rebuilding the results just updates the set of known AA passes.
The exception to this rule are LoopPass instances which need to preserve
all the function analyses that the loop pass manager will end up
needing. This means preserving both BasicAAWrapperPass and the
aggregating FunctionAAResultsWrapperPass.
Now, when preserving an alias analysis, you do so by directly preserving
that analysis. This is only necessary for non-immutable-pass-provided
alias analyses though, and there are only three of interest: BasicAA,
GlobalsAA (formerly GlobalsModRef), and SCEVAA. Usually BasicAA is
preserved when needed because it (like DominatorTree and LoopInfo) is
marked as a CFG-only pass. I've expanded GlobalsAA into the preserved
set everywhere we previously were preserving all of AliasAnalysis, and
I've added SCEVAA in the intersection of that with where we preserve
SCEV itself.
One significant challenge to all of this is that the CGSCC passes were
actually using the alias analysis implementations by taking advantage of
a pretty amazing set of loop holes in the old pass manager's analysis
management code which allowed analysis groups to slide through in many
cases. Moving away from analysis groups makes this problem much more
obvious. To fix it, I've leveraged the flexibility the design of the new
PM components provides to just directly construct the relevant alias
analyses for the relevant functions in the IPO passes that need them.
This is a bit hacky, but should go away with the new pass manager, and
is already in many ways cleaner than the prior state.
Another significant challenge is that various facilities of the old
alias analysis infrastructure just don't fit any more. The most
significant of these is the alias analysis 'counter' pass. That pass
relied on the ability to snoop on AA queries at different points in the
analysis group chain. Instead, I'm planning to build printing
functionality directly into the aggregation layer. I've not included
that in this patch merely to keep it smaller.
Note that all of this needs a nearly complete rewrite of the AA
documentation. I'm planning to do that, but I'd like to make sure the
new design settles, and to flesh out a bit more of what it looks like in
the new pass manager first.
Differential Revision: http://reviews.llvm.org/D12080
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@247167 91177308-0d34-0410-b5e6-96231b3b80d8
2015-09-09 17:55:00 +00:00
|
|
|
AU.addRequired<AAResultsWrapperPass>();
|
Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
}
|
|
|
|
|
2015-09-10 16:49:58 +00:00
|
|
|
bool doInitialization(Module &M) override {
|
Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
DL = &M.getDataLayout();
|
|
|
|
|
|
|
|
StackPtrTy = Type::getInt8PtrTy(M.getContext());
|
|
|
|
IntPtrTy = DL->getIntPtrType(M.getContext());
|
|
|
|
Int32Ty = Type::getInt32Ty(M.getContext());
|
|
|
|
Int8Ty = Type::getInt8Ty(M.getContext());
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2015-09-10 16:49:58 +00:00
|
|
|
bool runOnFunction(Function &F) override;
|
Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
}; // class SafeStack
|
|
|
|
|
2015-09-23 18:07:56 +00:00
|
|
|
Value *SafeStack::getOrCreateUnsafeStackPtr(IRBuilder<> &IRB, Function &F) {
|
|
|
|
Module &M = *F.getParent();
|
|
|
|
Triple TargetTriple(M.getTargetTriple());
|
|
|
|
|
|
|
|
unsigned Offset;
|
|
|
|
unsigned AddressSpace;
|
|
|
|
// Check if the target keeps the unsafe stack pointer at a fixed offset.
|
2015-09-30 00:01:47 +00:00
|
|
|
if (TLI && TLI->getSafeStackPointerLocation(AddressSpace, Offset)) {
|
2015-09-23 18:07:56 +00:00
|
|
|
Constant *OffsetVal =
|
|
|
|
ConstantInt::get(Type::getInt32Ty(F.getContext()), Offset);
|
|
|
|
return ConstantExpr::getIntToPtr(OffsetVal,
|
|
|
|
StackPtrTy->getPointerTo(AddressSpace));
|
|
|
|
}
|
|
|
|
|
|
|
|
// Android provides a libc function that returns the stack pointer address.
|
2015-10-08 21:21:24 +00:00
|
|
|
if (TargetTriple.isAndroid()) {
|
2015-09-23 18:07:56 +00:00
|
|
|
Value *Fn = M.getOrInsertFunction(kUnsafeStackPtrAddrFn,
|
|
|
|
StackPtrTy->getPointerTo(0), nullptr);
|
|
|
|
return IRB.CreateCall(Fn);
|
Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
} else {
|
2015-09-23 18:07:56 +00:00
|
|
|
// Otherwise, declare a thread-local variable with a magic name.
|
|
|
|
auto UnsafeStackPtr =
|
|
|
|
dyn_cast_or_null<GlobalVariable>(M.getNamedValue(kUnsafeStackPtrVar));
|
|
|
|
|
|
|
|
if (!UnsafeStackPtr) {
|
|
|
|
// The global variable is not defined yet, define it ourselves.
|
|
|
|
// We use the initial-exec TLS model because we do not support the
|
|
|
|
// variable living anywhere other than in the main executable.
|
|
|
|
UnsafeStackPtr = new GlobalVariable(
|
|
|
|
/*Module=*/M, /*Type=*/StackPtrTy,
|
|
|
|
/*isConstant=*/false, /*Linkage=*/GlobalValue::ExternalLinkage,
|
2015-10-06 23:24:35 +00:00
|
|
|
/*Initializer=*/nullptr, /*Name=*/kUnsafeStackPtrVar,
|
2015-09-23 18:07:56 +00:00
|
|
|
/*InsertBefore=*/nullptr,
|
|
|
|
/*ThreadLocalMode=*/GlobalValue::InitialExecTLSModel);
|
|
|
|
} else {
|
|
|
|
// The variable exists, check its type and attributes.
|
|
|
|
if (UnsafeStackPtr->getValueType() != StackPtrTy) {
|
|
|
|
report_fatal_error(Twine(kUnsafeStackPtrVar) + " must have void* type");
|
|
|
|
}
|
Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
|
2015-09-23 18:07:56 +00:00
|
|
|
if (!UnsafeStackPtr->isThreadLocal()) {
|
|
|
|
report_fatal_error(Twine(kUnsafeStackPtrVar) + " must be thread-local");
|
|
|
|
}
|
Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
}
|
2015-09-23 18:07:56 +00:00
|
|
|
return UnsafeStackPtr;
|
Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
void SafeStack::findInsts(Function &F,
|
|
|
|
SmallVectorImpl<AllocaInst *> &StaticAllocas,
|
|
|
|
SmallVectorImpl<AllocaInst *> &DynamicAllocas,
|
|
|
|
SmallVectorImpl<ReturnInst *> &Returns,
|
|
|
|
SmallVectorImpl<Instruction *> &StackRestorePoints) {
|
2015-08-06 19:10:45 +00:00
|
|
|
for (Instruction &I : instructions(&F)) {
|
Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
if (auto AI = dyn_cast<AllocaInst>(&I)) {
|
|
|
|
++NumAllocas;
|
|
|
|
|
|
|
|
if (IsSafeStackAlloca(AI))
|
|
|
|
continue;
|
|
|
|
|
|
|
|
if (AI->isStaticAlloca()) {
|
|
|
|
++NumUnsafeStaticAllocas;
|
|
|
|
StaticAllocas.push_back(AI);
|
|
|
|
} else {
|
|
|
|
++NumUnsafeDynamicAllocas;
|
|
|
|
DynamicAllocas.push_back(AI);
|
|
|
|
}
|
|
|
|
} else if (auto RI = dyn_cast<ReturnInst>(&I)) {
|
|
|
|
Returns.push_back(RI);
|
|
|
|
} else if (auto CI = dyn_cast<CallInst>(&I)) {
|
|
|
|
// setjmps require stack restore.
|
|
|
|
if (CI->getCalledFunction() && CI->canReturnTwice())
|
|
|
|
StackRestorePoints.push_back(CI);
|
|
|
|
} else if (auto LP = dyn_cast<LandingPadInst>(&I)) {
|
|
|
|
// Exception landing pads require stack restore.
|
|
|
|
StackRestorePoints.push_back(LP);
|
|
|
|
} else if (auto II = dyn_cast<IntrinsicInst>(&I)) {
|
|
|
|
if (II->getIntrinsicID() == Intrinsic::gcroot)
|
|
|
|
llvm::report_fatal_error(
|
|
|
|
"gcroot intrinsic not compatible with safestack attribute");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
AllocaInst *
|
2015-09-24 01:23:51 +00:00
|
|
|
SafeStack::createStackRestorePoints(IRBuilder<> &IRB, Function &F,
|
Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
ArrayRef<Instruction *> StackRestorePoints,
|
|
|
|
Value *StaticTop, bool NeedDynamicTop) {
|
|
|
|
if (StackRestorePoints.empty())
|
|
|
|
return nullptr;
|
|
|
|
|
|
|
|
// We need the current value of the shadow stack pointer to restore
|
|
|
|
// after longjmp or exception catching.
|
|
|
|
|
|
|
|
// FIXME: On some platforms this could be handled by the longjmp/exception
|
|
|
|
// runtime itself.
|
|
|
|
|
|
|
|
AllocaInst *DynamicTop = nullptr;
|
|
|
|
if (NeedDynamicTop)
|
|
|
|
// If we also have dynamic alloca's, the stack pointer value changes
|
|
|
|
// throughout the function. For now we store it in an alloca.
|
|
|
|
DynamicTop = IRB.CreateAlloca(StackPtrTy, /*ArraySize=*/nullptr,
|
|
|
|
"unsafe_stack_dynamic_ptr");
|
|
|
|
|
|
|
|
if (!StaticTop)
|
|
|
|
// We need the original unsafe stack pointer value, even if there are
|
|
|
|
// no unsafe static allocas.
|
|
|
|
StaticTop = IRB.CreateLoad(UnsafeStackPtr, false, "unsafe_stack_ptr");
|
|
|
|
|
|
|
|
if (NeedDynamicTop)
|
|
|
|
IRB.CreateStore(StaticTop, DynamicTop);
|
|
|
|
|
|
|
|
// Restore current stack pointer after longjmp/exception catch.
|
|
|
|
for (Instruction *I : StackRestorePoints) {
|
|
|
|
++NumUnsafeStackRestorePoints;
|
|
|
|
|
|
|
|
IRB.SetInsertPoint(cast<Instruction>(I->getNextNode()));
|
|
|
|
Value *CurrentTop = DynamicTop ? IRB.CreateLoad(DynamicTop) : StaticTop;
|
|
|
|
IRB.CreateStore(CurrentTop, UnsafeStackPtr);
|
|
|
|
}
|
|
|
|
|
|
|
|
return DynamicTop;
|
|
|
|
}
|
|
|
|
|
|
|
|
Value *
|
2015-09-23 18:07:56 +00:00
|
|
|
SafeStack::moveStaticAllocasToUnsafeStack(IRBuilder<> &IRB, Function &F,
|
Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
ArrayRef<AllocaInst *> StaticAllocas,
|
|
|
|
ArrayRef<ReturnInst *> Returns) {
|
|
|
|
if (StaticAllocas.empty())
|
|
|
|
return nullptr;
|
|
|
|
|
|
|
|
DIBuilder DIB(*F.getParent());
|
|
|
|
|
|
|
|
// We explicitly compute and set the unsafe stack layout for all unsafe
|
|
|
|
// static alloca instructions. We save the unsafe "base pointer" in the
|
|
|
|
// prologue into a local variable and restore it in the epilogue.
|
|
|
|
|
|
|
|
// Load the current stack pointer (we'll also use it as a base pointer).
|
|
|
|
// FIXME: use a dedicated register for it ?
|
|
|
|
Instruction *BasePointer =
|
|
|
|
IRB.CreateLoad(UnsafeStackPtr, false, "unsafe_stack_ptr");
|
|
|
|
assert(BasePointer->getType() == StackPtrTy);
|
|
|
|
|
|
|
|
for (ReturnInst *RI : Returns) {
|
|
|
|
IRB.SetInsertPoint(RI);
|
|
|
|
IRB.CreateStore(BasePointer, UnsafeStackPtr);
|
|
|
|
}
|
|
|
|
|
|
|
|
// Compute maximum alignment among static objects on the unsafe stack.
|
|
|
|
unsigned MaxAlignment = 0;
|
|
|
|
for (AllocaInst *AI : StaticAllocas) {
|
|
|
|
Type *Ty = AI->getAllocatedType();
|
|
|
|
unsigned Align =
|
|
|
|
std::max((unsigned)DL->getPrefTypeAlignment(Ty), AI->getAlignment());
|
|
|
|
if (Align > MaxAlignment)
|
|
|
|
MaxAlignment = Align;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (MaxAlignment > StackAlignment) {
|
|
|
|
// Re-align the base pointer according to the max requested alignment.
|
|
|
|
assert(isPowerOf2_32(MaxAlignment));
|
|
|
|
IRB.SetInsertPoint(cast<Instruction>(BasePointer->getNextNode()));
|
|
|
|
BasePointer = cast<Instruction>(IRB.CreateIntToPtr(
|
|
|
|
IRB.CreateAnd(IRB.CreatePtrToInt(BasePointer, IntPtrTy),
|
|
|
|
ConstantInt::get(IntPtrTy, ~uint64_t(MaxAlignment - 1))),
|
|
|
|
StackPtrTy));
|
|
|
|
}
|
|
|
|
|
|
|
|
// Allocate space for every unsafe static AllocaInst on the unsafe stack.
|
|
|
|
int64_t StaticOffset = 0; // Current stack top.
|
|
|
|
for (AllocaInst *AI : StaticAllocas) {
|
|
|
|
IRB.SetInsertPoint(AI);
|
|
|
|
|
|
|
|
auto CArraySize = cast<ConstantInt>(AI->getArraySize());
|
|
|
|
Type *Ty = AI->getAllocatedType();
|
|
|
|
|
|
|
|
uint64_t Size = DL->getTypeAllocSize(Ty) * CArraySize->getZExtValue();
|
|
|
|
if (Size == 0)
|
|
|
|
Size = 1; // Don't create zero-sized stack objects.
|
|
|
|
|
|
|
|
// Ensure the object is properly aligned.
|
|
|
|
unsigned Align =
|
|
|
|
std::max((unsigned)DL->getPrefTypeAlignment(Ty), AI->getAlignment());
|
|
|
|
|
|
|
|
// Add alignment.
|
|
|
|
// NOTE: we ensure that BasePointer itself is aligned to >= Align.
|
|
|
|
StaticOffset += Size;
|
|
|
|
StaticOffset = RoundUpToAlignment(StaticOffset, Align);
|
|
|
|
|
|
|
|
Value *Off = IRB.CreateGEP(BasePointer, // BasePointer is i8*
|
|
|
|
ConstantInt::get(Int32Ty, -StaticOffset));
|
|
|
|
Value *NewAI = IRB.CreateBitCast(Off, AI->getType(), AI->getName());
|
|
|
|
if (AI->hasName() && isa<Instruction>(NewAI))
|
|
|
|
cast<Instruction>(NewAI)->takeName(AI);
|
|
|
|
|
|
|
|
// Replace alloc with the new location.
|
2015-09-30 19:55:43 +00:00
|
|
|
replaceDbgDeclareForAlloca(AI, BasePointer, DIB, /*Deref=*/true, -StaticOffset);
|
Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
AI->replaceAllUsesWith(NewAI);
|
|
|
|
AI->eraseFromParent();
|
|
|
|
}
|
|
|
|
|
|
|
|
// Re-align BasePointer so that our callees would see it aligned as
|
|
|
|
// expected.
|
|
|
|
// FIXME: no need to update BasePointer in leaf functions.
|
|
|
|
StaticOffset = RoundUpToAlignment(StaticOffset, StackAlignment);
|
|
|
|
|
|
|
|
// Update shadow stack pointer in the function epilogue.
|
|
|
|
IRB.SetInsertPoint(cast<Instruction>(BasePointer->getNextNode()));
|
|
|
|
|
|
|
|
Value *StaticTop =
|
|
|
|
IRB.CreateGEP(BasePointer, ConstantInt::get(Int32Ty, -StaticOffset),
|
|
|
|
"unsafe_stack_static_top");
|
|
|
|
IRB.CreateStore(StaticTop, UnsafeStackPtr);
|
|
|
|
return StaticTop;
|
|
|
|
}
|
|
|
|
|
|
|
|
void SafeStack::moveDynamicAllocasToUnsafeStack(
|
|
|
|
Function &F, Value *UnsafeStackPtr, AllocaInst *DynamicTop,
|
|
|
|
ArrayRef<AllocaInst *> DynamicAllocas) {
|
|
|
|
DIBuilder DIB(*F.getParent());
|
|
|
|
|
|
|
|
for (AllocaInst *AI : DynamicAllocas) {
|
|
|
|
IRBuilder<> IRB(AI);
|
|
|
|
|
|
|
|
// Compute the new SP value (after AI).
|
|
|
|
Value *ArraySize = AI->getArraySize();
|
|
|
|
if (ArraySize->getType() != IntPtrTy)
|
|
|
|
ArraySize = IRB.CreateIntCast(ArraySize, IntPtrTy, false);
|
|
|
|
|
|
|
|
Type *Ty = AI->getAllocatedType();
|
|
|
|
uint64_t TySize = DL->getTypeAllocSize(Ty);
|
|
|
|
Value *Size = IRB.CreateMul(ArraySize, ConstantInt::get(IntPtrTy, TySize));
|
|
|
|
|
|
|
|
Value *SP = IRB.CreatePtrToInt(IRB.CreateLoad(UnsafeStackPtr), IntPtrTy);
|
|
|
|
SP = IRB.CreateSub(SP, Size);
|
|
|
|
|
|
|
|
// Align the SP value to satisfy the AllocaInst, type and stack alignments.
|
|
|
|
unsigned Align = std::max(
|
|
|
|
std::max((unsigned)DL->getPrefTypeAlignment(Ty), AI->getAlignment()),
|
|
|
|
(unsigned)StackAlignment);
|
|
|
|
|
|
|
|
assert(isPowerOf2_32(Align));
|
|
|
|
Value *NewTop = IRB.CreateIntToPtr(
|
|
|
|
IRB.CreateAnd(SP, ConstantInt::get(IntPtrTy, ~uint64_t(Align - 1))),
|
|
|
|
StackPtrTy);
|
|
|
|
|
|
|
|
// Save the stack pointer.
|
|
|
|
IRB.CreateStore(NewTop, UnsafeStackPtr);
|
|
|
|
if (DynamicTop)
|
|
|
|
IRB.CreateStore(NewTop, DynamicTop);
|
|
|
|
|
|
|
|
Value *NewAI = IRB.CreateIntToPtr(SP, AI->getType());
|
|
|
|
if (AI->hasName() && isa<Instruction>(NewAI))
|
|
|
|
NewAI->takeName(AI);
|
|
|
|
|
|
|
|
replaceDbgDeclareForAlloca(AI, NewAI, DIB, /*Deref=*/true);
|
|
|
|
AI->replaceAllUsesWith(NewAI);
|
|
|
|
AI->eraseFromParent();
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!DynamicAllocas.empty()) {
|
|
|
|
// Now go through the instructions again, replacing stacksave/stackrestore.
|
|
|
|
for (inst_iterator It = inst_begin(&F), Ie = inst_end(&F); It != Ie;) {
|
|
|
|
Instruction *I = &*(It++);
|
|
|
|
auto II = dyn_cast<IntrinsicInst>(I);
|
|
|
|
if (!II)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
if (II->getIntrinsicID() == Intrinsic::stacksave) {
|
|
|
|
IRBuilder<> IRB(II);
|
|
|
|
Instruction *LI = IRB.CreateLoad(UnsafeStackPtr);
|
|
|
|
LI->takeName(II);
|
|
|
|
II->replaceAllUsesWith(LI);
|
|
|
|
II->eraseFromParent();
|
|
|
|
} else if (II->getIntrinsicID() == Intrinsic::stackrestore) {
|
|
|
|
IRBuilder<> IRB(II);
|
|
|
|
Instruction *SI = IRB.CreateStore(II->getArgOperand(0), UnsafeStackPtr);
|
|
|
|
SI->takeName(II);
|
|
|
|
assert(II->use_empty());
|
|
|
|
II->eraseFromParent();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
bool SafeStack::runOnFunction(Function &F) {
|
|
|
|
DEBUG(dbgs() << "[SafeStack] Function: " << F.getName() << "\n");
|
|
|
|
|
|
|
|
if (!F.hasFnAttribute(Attribute::SafeStack)) {
|
|
|
|
DEBUG(dbgs() << "[SafeStack] safestack is not requested"
|
|
|
|
" for this function\n");
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (F.isDeclaration()) {
|
|
|
|
DEBUG(dbgs() << "[SafeStack] function definition"
|
|
|
|
" is not available\n");
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2015-09-23 18:07:56 +00:00
|
|
|
auto AA = &getAnalysis<AAResultsWrapperPass>().getAAResults();
|
|
|
|
|
|
|
|
TLI = TM ? TM->getSubtargetImpl(F)->getTargetLowering() : nullptr;
|
|
|
|
|
Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
{
|
|
|
|
// Make sure the regular stack protector won't run on this function
|
|
|
|
// (safestack attribute takes precedence).
|
|
|
|
AttrBuilder B;
|
|
|
|
B.addAttribute(Attribute::StackProtect)
|
|
|
|
.addAttribute(Attribute::StackProtectReq)
|
|
|
|
.addAttribute(Attribute::StackProtectStrong);
|
|
|
|
F.removeAttributes(
|
|
|
|
AttributeSet::FunctionIndex,
|
|
|
|
AttributeSet::get(F.getContext(), AttributeSet::FunctionIndex, B));
|
|
|
|
}
|
|
|
|
|
|
|
|
if (AA->onlyReadsMemory(&F)) {
|
|
|
|
// XXX: we don't protect against information leak attacks for now.
|
|
|
|
DEBUG(dbgs() << "[SafeStack] function only reads memory\n");
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
++NumFunctions;
|
|
|
|
|
|
|
|
SmallVector<AllocaInst *, 16> StaticAllocas;
|
|
|
|
SmallVector<AllocaInst *, 4> DynamicAllocas;
|
|
|
|
SmallVector<ReturnInst *, 4> Returns;
|
|
|
|
|
|
|
|
// Collect all points where stack gets unwound and needs to be restored
|
|
|
|
// This is only necessary because the runtime (setjmp and unwind code) is
|
|
|
|
// not aware of the unsafe stack and won't unwind/restore it prorerly.
|
|
|
|
// To work around this problem without changing the runtime, we insert
|
|
|
|
// instrumentation to restore the unsafe stack pointer when necessary.
|
|
|
|
SmallVector<Instruction *, 4> StackRestorePoints;
|
|
|
|
|
|
|
|
// Find all static and dynamic alloca instructions that must be moved to the
|
|
|
|
// unsafe stack, all return instructions and stack restore points.
|
|
|
|
findInsts(F, StaticAllocas, DynamicAllocas, Returns, StackRestorePoints);
|
|
|
|
|
|
|
|
if (StaticAllocas.empty() && DynamicAllocas.empty() &&
|
|
|
|
StackRestorePoints.empty())
|
|
|
|
return false; // Nothing to do in this function.
|
|
|
|
|
|
|
|
if (!StaticAllocas.empty() || !DynamicAllocas.empty())
|
|
|
|
++NumUnsafeStackFunctions; // This function has the unsafe stack.
|
|
|
|
|
|
|
|
if (!StackRestorePoints.empty())
|
|
|
|
++NumUnsafeStackRestorePointsFunctions;
|
|
|
|
|
2015-09-23 18:07:56 +00:00
|
|
|
IRBuilder<> IRB(F.begin()->getFirstInsertionPt());
|
|
|
|
UnsafeStackPtr = getOrCreateUnsafeStackPtr(IRB, F);
|
2015-06-22 20:26:54 +00:00
|
|
|
|
Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
// The top of the unsafe stack after all unsafe static allocas are allocated.
|
2015-09-23 18:07:56 +00:00
|
|
|
Value *StaticTop = moveStaticAllocasToUnsafeStack(IRB, F, StaticAllocas, Returns);
|
Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
|
|
|
|
// Safe stack object that stores the current unsafe stack top. It is updated
|
|
|
|
// as unsafe dynamic (non-constant-sized) allocas are allocated and freed.
|
|
|
|
// This is only needed if we need to restore stack pointer after longjmp
|
|
|
|
// or exceptions, and we have dynamic allocations.
|
|
|
|
// FIXME: a better alternative might be to store the unsafe stack pointer
|
|
|
|
// before setjmp / invoke instructions.
|
|
|
|
AllocaInst *DynamicTop = createStackRestorePoints(
|
2015-09-24 01:23:51 +00:00
|
|
|
IRB, F, StackRestorePoints, StaticTop, !DynamicAllocas.empty());
|
Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
|
|
|
|
// Handle dynamic allocas.
|
|
|
|
moveDynamicAllocasToUnsafeStack(F, UnsafeStackPtr, DynamicTop,
|
|
|
|
DynamicAllocas);
|
|
|
|
|
|
|
|
DEBUG(dbgs() << "[SafeStack] safestack applied\n");
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2015-10-06 23:24:35 +00:00
|
|
|
} // anonymous namespace
|
Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
|
|
|
|
char SafeStack::ID = 0;
|
2015-09-23 18:07:56 +00:00
|
|
|
INITIALIZE_TM_PASS_BEGIN(SafeStack, "safe-stack",
|
|
|
|
"Safe Stack instrumentation pass", false, false)
|
|
|
|
INITIALIZE_TM_PASS_END(SafeStack, "safe-stack",
|
|
|
|
"Safe Stack instrumentation pass", false, false)
|
Protection against stack-based memory corruption errors using SafeStack
This patch adds the safe stack instrumentation pass to LLVM, which separates
the program stack into a safe stack, which stores return addresses, register
spills, and local variables that are statically verified to be accessed
in a safe way, and the unsafe stack, which stores everything else. Such
separation makes it much harder for an attacker to corrupt objects on the
safe stack, including function pointers stored in spilled registers and
return addresses. You can find more information about the safe stack, as
well as other parts of or control-flow hijack protection technique in our
OSDI paper on code-pointer integrity (http://dslab.epfl.ch/pubs/cpi.pdf)
and our project website (http://levee.epfl.ch).
The overhead of our implementation of the safe stack is very close to zero
(0.01% on the Phoronix benchmarks). This is lower than the overhead of
stack cookies, which are supported by LLVM and are commonly used today,
yet the security guarantees of the safe stack are strictly stronger than
stack cookies. In some cases, the safe stack improves performance due to
better cache locality.
Our current implementation of the safe stack is stable and robust, we
used it to recompile multiple projects on Linux including Chromium, and
we also recompiled the entire FreeBSD user-space system and more than 100
packages. We ran unit tests on the FreeBSD system and many of the packages
and observed no errors caused by the safe stack. The safe stack is also fully
binary compatible with non-instrumented code and can be applied to parts of
a program selectively.
This patch is our implementation of the safe stack on top of LLVM. The
patches make the following changes:
- Add the safestack function attribute, similar to the ssp, sspstrong and
sspreq attributes.
- Add the SafeStack instrumentation pass that applies the safe stack to all
functions that have the safestack attribute. This pass moves all unsafe local
variables to the unsafe stack with a separate stack pointer, whereas all
safe variables remain on the regular stack that is managed by LLVM as usual.
- Invoke the pass as the last stage before code generation (at the same time
the existing cookie-based stack protector pass is invoked).
- Add unit tests for the safe stack.
Original patch by Volodymyr Kuznetsov and others at the Dependable Systems
Lab at EPFL; updates and upstreaming by myself.
Differential Revision: http://reviews.llvm.org/D6094
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@239761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-06-15 21:07:11 +00:00
|
|
|
|
2015-09-23 18:07:56 +00:00
|
|
|
FunctionPass *llvm::createSafeStackPass(const llvm::TargetMachine *TM) {
|
|
|
|
return new SafeStack(TM);
|
|
|
|
}
|