* kCFI sources
@ 2020-04-03 5:29 joao
2020-04-03 23:28 ` Kees Cook
0 siblings, 1 reply; 3+ messages in thread
From: joao @ 2020-04-03 5:29 UTC (permalink / raw)
To: kernel-hardening; +Cc: keescook, vasileios_kemerlis, sandro
Hi,
FWIW, In case someone has any interest in looking into it, a month ago I uploaded the old sources for a kernel CFI prototype I implemented back in 2015/2016 (kCFI) here: https://github.com/kcfi/kcfi
As is, the code supports kernel 3.19. It is no longer maintained and, given that the upstream Linux kernel may have its own CFI scheme somewhat soon, I don't believe that there is much sense in trying to forward-port it or anything. Either way, if it is useful for anyone, there you go.
Cheers,
Joao.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: kCFI sources
2020-04-03 5:29 kCFI sources joao
@ 2020-04-03 23:28 ` Kees Cook
2020-04-04 1:28 ` joao
0 siblings, 1 reply; 3+ messages in thread
From: Kees Cook @ 2020-04-03 23:28 UTC (permalink / raw)
To: joao@overdrivepizza.com; +Cc: kernel-hardening, vasileios_kemerlis, sandro
On Fri, Apr 03, 2020 at 07:29:38AM +0200, joao@overdrivepizza.com wrote:
> FWIW, In case someone has any interest in looking into it, a month ago I uploaded the old sources for a kernel CFI prototype I implemented back in 2015/2016 (kCFI) here: https://github.com/kcfi/kcfi
Great; thanks!
> As is, the code supports kernel 3.19. It is no longer maintained and, given that the upstream Linux kernel may have its own CFI scheme somewhat soon, I don't believe that there is much sense in trying to forward-port it or anything. Either way, if it is useful for anyone, there you go.
Weren't there updates make to LLVM to provide a more fine-grained
bucketization of the function prototypes? (i.e. instead of all "void
func(void)" being in one bucket, they got chopped into more buckets?)
--
Kees Cook
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: kCFI sources
2020-04-03 23:28 ` Kees Cook
@ 2020-04-04 1:28 ` joao
0 siblings, 0 replies; 3+ messages in thread
From: joao @ 2020-04-04 1:28 UTC (permalink / raw)
To: Kees Cook; +Cc: kernel-hardening, vasileios_kemerlis, sandro
> Weren't there updates make to LLVM to provide a more fine-grained
> bucketization of the function prototypes? (i.e. instead of all "void
> func(void)" being in one bucket, they got chopped into more buckets?)
The optimization we put in place (Call Graph Detaching) in the shared sources has a slightly different goal. It uses both source-level and binary-level information (not only changes in llvm) to identify which functions belonging to a prototype group are callable both directly and indirectly (they have a matching function pointer and a direct call); then it clones these functions and replace the direct call to them with a direct call to the clone. By doing so, it allows the function to have a different tag to be checked on return in each of its versions, detaching the instances of the function invocation from the prototype group. This reduces the the number of allowed return targets of the cloned functions to the actual number of direct calls to it, instead of the number of indirect and direct calls to the whole prototype group. This is actually a backward-edge granularity optimization.
For examples, see slides 28-33: https://www.blackhat.com/docs/asia-17/materials/asia-17-Moreira-Drop-The-Rop-Fine-Grained-Control-Flow-Integrity-For-The-Linux-Kernel.pdf
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-04-04 10:40 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-04-03 5:29 kCFI sources joao
2020-04-03 23:28 ` Kees Cook
2020-04-04 1:28 ` joao
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.