|
@Liran_Alon | |||||
|
RAP/XFG based on hash seems better. Interesting observation that 7% of indirect branches have >100 valid targets if only hash prototype. Thought: Add compiler annotation for non-cross-module func_ptr & targets that makes linker add unique arg for this branch targets hash? (2/2)
|
||||||
|
||||||
|
Liran Alon
@Liran_Alon
|
18. sij |
|
outflux.net/slides/2020/lc… @kees_cook Slides on Linux kernel CFI. Clang jmp-table based CFI seems quite bad as add many opcodes before indirect branch, exec additional jmp and requires global call-site visibility (E.g. doesn't work for cross-module branch). (1/2)
|
||
|
|
||
|
Dave dwizzzle Weston
@dwizzzleMSFT
|
18. sij |
|
I think @smealum did a detailed analysis between Clang CFI and XFG
|
||
|
|
||
|
Liran Alon
@Liran_Alon
|
18. sij |
|
Actually, this also made me wonder on Intel CET forward-edge protection: It only verifies that indirect branch target ends with ENDBR64. i.e. Only validates it's some valid target and not considering context/prototype-hash as RAP/XFG. Doesn't this make ENDBR64 mechanism useless?
|
||
|
|
||