Features Download
From: Nadav Rotem <nrotem <at> apple.com>
Subject: Re: Adding diversity for security (and testing)
Newsgroups: gmane.comp.compilers.llvm.devel
Date: Monday 26th August 2013 18:51:19 UTC (over 3 years ago)
Hi Stephen, 

> Greetings LLVM Devs!
> I am a PhD student in the Secure Systems and Software Lab at UC
> Irvine. We have been working on adding randomness into code generation
> to create a diverse population of binaries. This diversity prevents
> code-reuse attacks such as return-oriented-programming (ROP) by
> denying the attacker information about the exact code layout. ROP has
> been used is several high-profile recent attacks, and has also been
> used as a jailbreaking avenue. We believe our transformations would
> provide a significant security benefit for LLVM users who choose to
> use diversity. For more details see [1] (although we are currently
> proposing to upstream only a simplified subset of our work).

I think that this is very interesting and I would like LLVM to have a
"randomness” feature.  I think that it is useful for other aspects of
security as well. 

> We would like to contribute some of our work back to the community,
> and are preparing a small patch adding two new features: NOP insertion
> and schedule randomization. The NOP insertion pass randomly adds NOPs
> after each MachineInstr according to a command-line
> parameter. Currently NOP insertion is implemented for X86, and we are
> adding support for ARM.


> The schedule randomizer randomly picks a valid
> instruction to schedule at every point, bypassing the scheduling
> heuristics. These passes result in a binary which, while slightly
> slower, is far more secure against code-reuse attacks. In addition,
> schedule randomization may be useful for randomized compiler and
> micro-architecture testing.

Which scheduler did you modify ?  The plan is to disable the SelectionDAG
scheduler and move to the MI Scheduler soon. 

Also, have you looked at randomizing register-allocation ?

> We would also include a secure random number generator which links
> against OpenSSL. This would of course be an optional module disabled
> by default, but is necessary so the randomization is cryptographically
> secure and useful in security applications.

I am not sure why you need this feature.   You can provide LLVM with a SEED
value that can be controlled from the command line.  A wrapper (such as a
build-script) can control this value. 

> We are in the process of writing test cases and double checking
> formatting to produce a useful patch, but would like to solicit
> feedback on our proposed changes before submitting patches for
> detailed consideration.

Please make sure that the LLVM nightly test suite passes with randomization

> Thanks,
> Stephen Crane
> Secure Systems and Software Lab
> UC Irvine
> [1] A. Homescu, S. Neisius, P. Larsen, S. Brunthaler, and M. Franz;
> “Profile-guided Automated Software Diversity,” in 2013 International
> Symposium on Code Generation and Optimization (CGO 2013), Shenzhen,
> China; February 2013.
> _______________________________________________
> LLVM Developers mailing list
> [email protected]         http://llvm.cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/llvmdev
CD: 10ms