~mpu/qbe

6 3

Control-flow integrity overhead

Details
Message ID
<03616e48-96ec-44f4-9265-69bd140b9dc8@app.fastmail.com>
DKIM signature
missing
Download raw message
Hi all,

I merged 5af33410 in main today but I'm having second thoughts.
I was expecting the assembler can be put in a mode where the
control-flow integrity instructions added to each function
prelude can be eliminated, but it does not look like it is the
case. Linkers could be smart about it but I don't expect they
are today.

Please report any observed code-size / runtime overhead you go
by with qbe master. We can gate cfi behind a linkage flag it
proves to be a problem.

Cheers.
Details
Message ID
<86313513-a25c-44ab-9c92-6dac49da0e40@app.fastmail.com>
In-Reply-To
<03616e48-96ec-44f4-9265-69bd140b9dc8@app.fastmail.com> (view parent)
DKIM signature
missing
Download raw message
Hi,

This is irrelevant to code size or runtime overhead, but I do
wish this feature could be controlled behind a flag, because
on OpenBSD the default binutils shipped with system is 2.17,
which does not seem to support `endbr64`. I had to 1) run
`pkg_add binutils` and 2) configure my copy of cproc using
`--with-as=gas` to make it work as expected. It would be great
if QBE could remove non-stock binutils as a hard dependency on
OpenBSD.

On Sat, Dec 30, 2023, at 7:19 AM, Quentin Carbonneaux wrote:
> Hi all,
>
> I merged 5af33410 in main today but I'm having second thoughts.
> I was expecting the assembler can be put in a mode where the
> control-flow integrity instructions added to each function
> prelude can be eliminated, but it does not look like it is the
> case. Linkers could be smart about it but I don't expect they
> are today.
>
> Please report any observed code-size / runtime overhead you go
> by with qbe master. We can gate cfi behind a linkage flag it
> proves to be a problem.
>
> Cheers.
Lorenz (xha) <me@xha.li>
Details
Message ID
<ZaT2_-xZpL5nFJ9_@xha.li>
In-Reply-To
<86313513-a25c-44ab-9c92-6dac49da0e40@app.fastmail.com> (view parent)
DKIM signature
missing
Download raw message
hi,

fist of all, QBE doesn't need a non-stock dependency on openbsd.
it can be used with `clang -o` which interally just uses the llvm
assembler (which understands endbr64) and that can be used to create
an object file.

anyways, i patched the binutils `as` in openbsd base to accept
endbr64 instructions and assemble them [1], so i'd like to kindly
ask if you could re-add the patch again. CFI has really minimal
overhead considering that it is really great for security when
supported.

this also makes QBE produce valid code that doesn't need the ld
-nobtcfi flag on OpenBSD.

[1]: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/binutils-2.17/include/opcode/i386.h?r1=1.12

- lorenz
Lorenz (xha) <me@xha.li>
Details
Message ID
<ZbZmHHGV124L9Lik@xha.li>
In-Reply-To
<ZaT2_-xZpL5nFJ9_@xha.li> (view parent)
DKIM signature
missing
Download raw message
friendly ping :)

On Mon, Jan 15, 2024 at 10:12:31AM +0100, Lorenz (xha) wrote:
> hi,
> 
> fist of all, QBE doesn't need a non-stock dependency on openbsd.
> it can be used with `clang -o` which interally just uses the llvm
> assembler (which understands endbr64) and that can be used to create
> an object file.
> 
> anyways, i patched the binutils `as` in openbsd base to accept
> endbr64 instructions and assemble them [1], so i'd like to kindly
> ask if you could re-add the patch again. CFI has really minimal
> overhead considering that it is really great for security when
> supported.
> 
> this also makes QBE produce valid code that doesn't need the ld
> -nobtcfi flag on OpenBSD.
> 
> [1]: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/binutils-2.17/include/opcode/i386.h?r1=1.12
> 
> - lorenz
Details
Message ID
<38d4f0c9-f615-4ea5-8986-7805db39fb61@caramail.com>
In-Reply-To
<ZbZmHHGV124L9Lik@xha.li> (view parent)
DKIM signature
pass
Download raw message
Hello all,

>> endbr64 instructions and assemble them [1], so i'd like to kindly
>> ask if you could re-add the patch again. CFI has really minimal
>> overhead considering that it is really great for security when

I feel the patch is still incomplete.  On Linux at least -- and probably
other BSDs too -- the object module also needs to include a special ELF
note in .note.gnu.property, which will go into the final program, so
that the OS will know to enable the CPU's hardware checks at runtime.
GCC 11 does this.

(Without the note, there will be no control flow integrity checking, so
no added security, despite any `endbr64' opcodes.)

Thank you!
Lorenz (xha) <me@xha.li>
Details
Message ID
<ZbaplZlQn2BqjCi2@xha.li>
In-Reply-To
<38d4f0c9-f615-4ea5-8986-7805db39fb61@caramail.com> (view parent)
DKIM signature
missing
Download raw message
On Mon, Jan 29, 2024 at 12:49:18AM +0800, TK Chia wrote:
> Hello all,
> 
> > > endbr64 instructions and assemble them [1], so i'd like to kindly
> > > ask if you could re-add the patch again. CFI has really minimal
> > > overhead considering that it is really great for security when
> 
> I feel the patch is still incomplete.  On Linux at least -- and probably
> other BSDs too -- the object module also needs to include a special ELF
> note in .note.gnu.property, which will go into the final program, so
> that the OS will know to enable the CPU's hardware checks at runtime.
> GCC 11 does this.

i think this is out of scope for QBE - this could be done by a linker
script or simply using gcc (or clang) as the linker.

> (Without the note, there will be no control flow integrity checking, so
> no added security, despite any `endbr64' opcodes.)

FYI it's enabled on openbsd by default and you don't need the special
segment.
Details
Message ID
<c9fd16e7-4427-46b2-a349-898d545092a4@caramail.com>
In-Reply-To
<ZbaplZlQn2BqjCi2@xha.li> (view parent)
DKIM signature
pass
Download raw message
Hello Lorenz,

> i think this is out of scope for QBE - this could be done by a linker
> script or simply using gcc (or clang) as the linker.

On Linux the extra ELF note is indeed part of GCC cc1's assembly
language output.  The note looks something like this:

```
	.section	.note.gnu.property,"a"
	.align 8
	.long	1f - 0f
	.long	4f - 1f
	.long	5
0:
	.string	"GNU"
1:
	.align 8
	.long	0xc0000002
	.long	3f - 2f
2:
	.long	0x3
3:
	.align 8
4:
```

Also, one needs a CPU that actually supports CET (CPUID CET_IBT), to
actually get the extra control flow checks at run time anyway.  On my
system, I find that I need an emulator such as Intel's SDE
(https://www.intel.com/content/www/us/en/developer/articles/tool/software-development-emulator.html),
to properly test whether a program works in the presence of CET.

Thank you!
Reply to thread Export thread (mbox)