On Mon, Aug 10, 2020 at 11:39:26PM -0300, Alexandre Oliva wrote: > Erhm, I don't get why it's important that they be zeroed. It seems to > me that restoring their original values, or setting them to random > values, would be just as good defenses from having them set within the
In the performance analysis I looked at a while ago, doing the register-self-xor is extremely fast to run (IIRC the cycle counts on x86 were absolutely tiny), and it's smaller for code size which minimized the overall image footprint. > [...] > Code that sets the register to zero in the epilogue would be much harder > for an attacker to change indeed. Yes, a fixed value is a significantly better defensive position to take for ROP. And specifically zero _tends_ to be the safest choice as it's less "useful" to be used as a size, index, or pointer. And, no, it is not perfect, but nothing can be if we're dealing with trying to defend against arbitrary ROP gadget finding (or uninitialized stack contents, where the same argument for "zero is best" also holds[1]). -Kees [1] https://lists.llvm.org/pipermail/cfe-dev/2020-April/065221.html -- Kees Cook
