Twitter | Pretraživanje | |
Liran Alon 18. sij
Slides on Linux kernel CFI. Clang jmp-table based CFI seems quite bad as add many opcodes before indirect branch, exec additional jmp and requires global call-site visibility (E.g. doesn't work for cross-module branch). (1/2)
Reply Retweet Označi sa "sviđa mi se"
Liran Alon
RAP/XFG based on hash seems better. Interesting observation that 7% of indirect branches have >100 valid targets if only hash prototype. Thought: Add compiler annotation for non-cross-module func_ptr & targets that makes linker add unique arg for this branch targets hash? (2/2)
Reply Retweet Označi sa "sviđa mi se" More
Dave dwizzzle Weston 18. sij
Odgovor korisniku/ci @Liran_Alon @smealum
I think did a detailed analysis between Clang CFI and XFG
Reply Retweet Označi sa "sviđa mi se"
Liran Alon 18. sij
Odgovor korisniku/ci @dwizzzleMSFT @smealum
Actually, this also made me wonder on Intel CET forward-edge protection: It only verifies that indirect branch target ends with ENDBR64. i.e. Only validates it's some valid target and not considering context/prototype-hash as RAP/XFG. Doesn't this make ENDBR64 mechanism useless?
Reply Retweet Označi sa "sviđa mi se"