From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from aserp2120.oracle.com (aserp2120.oracle.com [141.146.126.78]) by sourceware.org (Postfix) with ESMTPS id 9527A3985433 for ; Thu, 10 Sep 2020 22:42:59 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 9527A3985433 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 08AMcdkk179549; Thu, 10 Sep 2020 22:42:57 GMT Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by aserp2120.oracle.com with ESMTP id 33c2mmb069-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 10 Sep 2020 22:42:57 +0000 Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 08AMZ8hl119160; Thu, 10 Sep 2020 22:40:57 GMT Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserp3020.oracle.com with ESMTP id 33cmkay8p1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 10 Sep 2020 22:40:57 +0000 Received: from abhmp0017.oracle.com (abhmp0017.oracle.com [141.146.116.23]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id 08AMesD3026403; Thu, 10 Sep 2020 22:40:54 GMT Received: from dhcp-10-154-147-38.vpn.oracle.com (/10.154.147.38) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 10 Sep 2020 15:40:54 -0700 Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.15\)) Subject: Re: PING [Patch][Middle-end]Add -fzero-call-used-regs=[skip|used-gpr|all-gpr|used|all] From: Qing Zhao In-Reply-To: <202009101158.B6A3E1AD17@keescook> Date: Thu, 10 Sep 2020 17:40:53 -0500 Cc: "Rodriguez Bahena, Victor" , Segher Boessenkool , Jakub Jelinek , Uros Bizjak , GCC Patches Content-Transfer-Encoding: quoted-printable Message-Id: References: <4014F619-614E-4BB3-9080-08EA044F36ED@ORACLE.COM> <20200824202027.GT28786@gate.crashing.org> <5191C24D-D722-4ECC-A613-15000C81CDFA@ORACLE.COM> <202009031012.4A0D70F@keescook> <51176577-9E37-4BED-ACBC-07D7C0D6EE07@intel.com> <715CE173-31FC-4558-B59C-82AD87D58186@ORACLE.COM> <202009101158.B6A3E1AD17@keescook> To: Kees Cook X-Mailer: Apple Mail (2.3445.104.15) X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9740 signatures=668679 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 malwarescore=0 phishscore=0 mlxlogscore=999 bulkscore=0 adultscore=0 mlxscore=0 suspectscore=3 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2009100197 X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9740 signatures=668679 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 priorityscore=1501 phishscore=0 adultscore=0 bulkscore=0 clxscore=1015 mlxlogscore=999 malwarescore=0 suspectscore=3 lowpriorityscore=0 spamscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2009100197 X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_MSPIKE_H2, SPF_HELO_PASS, SPF_PASS, TXREP, UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Sep 2020 22:43:00 -0000 > On Sep 10, 2020, at 2:07 PM, Kees Cook wrote: >=20 > [tried to clean up quoting...] >=20 > On Tue, Sep 08, 2020 at 10:00:09AM -0500, Qing Zhao wrote: >>=20 >>> On Sep 7, 2020, at 8:06 AM, Rodriguez Bahena, Victor = wrote: >>>=20 >>>>> On Thu, Sep 03, 2020 at 09:29:54AM -0500, Qing Zhao wrote: >>>>> So, my question is: >>>>>=20 >>>>> =46rom the security point of view, does clearing ALL registers = have more benefit than clearing USED registers? =20 >>>>> =46rom my understanding, clearing registers that are not used in = the current routine does NOT provide additional benefit, correct me if I = am wrong here. >>>=20 >>> You are right, it does not provide additional security >>=20 >> Then, is it necessary to provide=20 >>=20 >> -fzero-call-used-regs=3Dall-arg|all-gpr|all to the user? >>=20 >> Can we just delete these 3 sub options? >=20 > Well... I'd say there is some benefit (remember that ROP gadgets are > built from function trailers, so there is rarely a concern over what = the > rest of the function is doing). Generally, they are chained together > based on just the last couple instructions: >=20 > *useful action* > *ret* >=20 > So with ...=3Dused this turns into: >=20 > *useful action* > *clear some registers* > *ret* >=20 > Which may still be helpful (if, for example, the state being built by > the attacker is using registers _not_ in the cleared list). However: >=20 > *useful action* > *clear all registers* > *ret* >=20 > Means that suddenly the ROP chain cannot use *any* of the caller-saved > registers to hold state. >=20 > So, while ...=3Dused is likely going to block a lot, ...=3Dall will = block > even more. I'd prefer to have both available, Okay. I am fine with this.=20 My biggest concern is the much bigger run-time overhead from zeroing = those unused-registers. Might need to mention the big run-time overhead in the users=E2=80=99s = manual. Qing > if for no other reason > than to compare the ROP gadget availability for any given binary (e.g. > if some future attack is found that bypasses ...=3Dused, does it also > bypass ...=3Dall?) >=20 > --=20 > Kees Cook