Hi,

Based on all the previous discussion and more extensive study on ROP and its 
mitigation techniques these days, I came up with the following
High-level proposal as requested, please take a look and let me know what I 
should change in this high-level design:

> On Aug 6, 2020, at 6:37 PM, Segher Boessenkool <seg...@kernel.crashing.org> 
> wrote:
> 
> Anyway.  This all needs a good description in the user manual (is there?
> I couldn't find any), explaining what exactly it does (user-visible),
> and when you would want to use it, etc.  We need that before we can
> review anything else in this patch sanely.
> 
> 
> Segher

zeroing call-used registers for security purpose

8/19/2020
Qing Zhao
=========================================

**Motivation:
There are two purposes of this patch:

1. ROP mitigation:

ROP (Return-oriented programming, 
https://en.wikipedia.org/wiki/Return-oriented_programming) is 
one of the most popular code reuse attack technique, which executes gadget 
chains to perform malicious tasks.
A gadget is a carefully chosen machine instruction sequence that is already 
present in the machines' memory. 
Each gadget typically ends in a return instruction and is located in a 
subroutine within the existing program 
and/or shared library code.

There are two variations that use gadgets that end with indirect call (COP, 
Call Oriented Programming )
 and jump instruction (JOP, Jump-Oriented Programming). However, performing ROP 
without return 
instructions in reality is difficult because the gadgets of COP and JOP that 
can form a completed chain 
are almost nonexistent. 

As a result, gadgets based on return instructions remain the most popular.

One important feature of ROP attack is (Clean the Scratch Registers:A Way to 
Mitigate Return-Oriented
Programming Attacks https://ieeexplore.ieee.org/document/8445132):
the destination of using gadget chains usually call system functions to perform 
malicious behaviour,
on many of the mordern architectures, the registers would be used to pass 
parameters for those 
system functions.

So, cleaning the scratch registers that are used to pass parameters at return 
instructions should 
effectively mitigate ROP attack. 

2. Register Erasure:

In the SECURE project and GCC (https://gcc.gnu.org/wiki/cauldron2018#secure)

One of the well known security techniques is stack and register erasure. 
Ensuring that on return from a function, no data is left lying on the stack or 
in registers.

As mentioned in the slides 
(https://gmarkall.files.wordpress.com/2018/09/secure_and_gcc.pdf), 
there is a seperate project that tried to resolve the stack erasure problem. 
and the patch for
 stack erasure had been ready to submit. That specific patch does not handle 
register erasure problem. 

So, we will also address the register erasure problem with this patch along 
with the ROP mitigation. 

** Questions and Answers:

Q1. Which registers should be set to zeros at the return of the function?
A. the caller-saved, i.e, call-used, or call-clobbered registers.
   For ROP mitigation purpose, only the call-used registers that pass
parameters need to be zeroed. 
   For register erasure purpose, all the call-used registers might need to
be zeroed. we can provide multiple levels to user for controling the runtime
overhead. 

Q2. Why zeroing the registers other than randomalize them?
A. (From Kees Cook)
    In the performance analysis I looked at a while ago, doing the
register-self-xor is extremely fast to run (IIRC the cycle counts on x86
were absolutely tiny), and it's smaller for code size which minimized
the overall image footprint.
    a fixed value is a significantly better defensive position to take
for ROP. And specifically zero _tends_ to be the safest choice as it's
less "useful" to be used as a size, index, or pointer. And, no, it is
not perfect, but nothing can be if we're dealing with trying to defend
against arbitrary ROP gadget finding (or uninitialized stack contents,
where the same argument for "zero is best" also holds[1]).

-Kees
([1]https://lists.llvm.org/pipermail/cfe-dev/2020-April/065221.html)

    So, from both run-time performance and code-size aspects, setting the
registers to zero is a better approach. 

** Proposal:

We will provide a new feature into GCC for the above security purposes. 

Add -fzero-call-used-regs=[skip|rop-mitigation|used-gpr|all-gpr|used|all] 
command-line option
and 
zero_call_used_regs("skip|used-arg-gpr|used-arg|arg|used-gpr|all-gpr|used|all") 
function attribues:

    1. -mzero-call-used-regs=skip and zero_call_used_regs("skip")

    Don't zero call-used registers upon function return. This is the default 
behavior.

    2. -mzero-call-used-regs=used-arg-gpr and 
zero_call_used_regs("used-arg-gpr")

    Zero used call-used general purpose registers that are used to pass 
parameters upon function return.
    
    3. -mzero-call-used-regs=used-arg and zero_call_used_regs("used-arg")

    Zero used call-used registers that are used to pass parameters upon 
function return.

    4. -mzero-call-used-regs=arg and zero_call_used_regs("arg")

    Zero all call-used registers that are used to pass parameters upon function 
return.

    5. -mzero-call-used-regs=used-gpr and zero_call_used_regs("used-gpr")

    Zero used call-used general purpose registers upon function return.

    6. -mzero-call-used-regs=all-gpr and zero_call_used_regs("all-gpr")

    Zero all call-used general purpose registers upon function return.

    7. -mzero-call-used-regs=used and zero_call_used_regs("used")

    Zero used call-used registers upon function return.

    8. -mzero-call-used-regs=all and zero_call_used_regs("all")

    Zero all call-used registers upon function return.


Zero call-used registers at function return to increase the program
security by either mitigating Return-Oriented Programming (ROP) or 
preventing information leak through registers.  

@samp{skip}, which is the default, doesn't zero call-used registers. 

@samp{used-arg-gpr} zeros used call-used general purpose registers that 
pass parameters. @samp{used-arg} zeros used call-used registers that 
pass parameters. @samp{arg} zeros all call-used registers that pass
parameters. These 3 choices are used for ROP mitigation. 

@samp{used-gpr} zeros call-used general purpose registers 
which are used in function.  @samp{all-gpr} zeros all
call-used registers.  @samp{used} zeros call-used registers which
are used in function.  @samp{all} zeros all call-used registers. 
These 4 choices are used for preventing information leak through 
registers. 

You can control this behavior for a specific function by using the function
attribute @code{zero_call_used_regs}.  @xref{Function Attributes}.


Reply via email to