caml-list - the Caml user's mailing list
 help / color / mirror / Atom feed
* [Caml-list] Any plans for supporting Intel CET in OCaml?
@ 2019-07-25 14:28 Richard W.M. Jones
  2019-07-25 15:52 ` Gerd Stolpmann
  2019-07-31 12:05 ` Xavier Leroy
  0 siblings, 2 replies; 7+ messages in thread
From: Richard W.M. Jones @ 2019-07-25 14:28 UTC (permalink / raw)
  To: caml-list; +Cc: nickc

There's an effort to harden every binary in RHEL to protect against
ROP-style attacks.  Of course this is mainly applicable when your
language is vulnerable to buffer overflows, but sadly even our OCaml
applications still link to some C libraries :-(

I was looking into this and the indirect branch tracking (IBT) part
seems simple enough.  For every indirect jump or call _target_ you
must insert one of the two instructions ENDBR64 or ENDBR32 (both are
NOP-like on older processors).  The processor sets a flag when an
indirect jump is taken and #CP's if the indirect jump doesn't land on
one of these instructions.

There's also some stuff with shadow stacks which looks a lot more
complicated and I didn't fully understand.  The whole thing is
described in:

https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf
https://lwn.net/Articles/758245/

Unfortunately (but for obvious reasons) every asm object in a program
must be compiled with CET in order to enable the feature for the
program as a whole.  This means that any mixed OCaml/C program can't
benefit from CET even in the C parts, unless we also support this in
the OCaml parts.

Has anyone looked into supporting this kind of thing in the amd64
backend?

(I looked at the OCaml trunk and couldn't see any relevant commits,
but maybe I missed something in my grepping).

Rich.

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2019-07-31 17:38 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-25 14:28 [Caml-list] Any plans for supporting Intel CET in OCaml? Richard W.M. Jones
2019-07-25 15:52 ` Gerd Stolpmann
2019-07-25 19:24   ` Hendrik Boom
2019-07-31 12:05 ` Xavier Leroy
2019-07-31 14:19   ` Hendrik Boom
2019-07-31 15:21     ` Xavier Leroy
2019-07-31 17:40       ` Ivan Gotovchits

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).