From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) by c5ff346549e7 (Postfix) with ESMTPS id C9B955D6 for ; Wed, 31 Jul 2019 12:06:00 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.64,330,1559512800"; d="scan'208,217";a="393995270" Received: from sympa.inria.fr ([193.51.193.213]) by mail2-relais-roc.national.inria.fr with ESMTP; 31 Jul 2019 14:05:59 +0200 Received: by sympa.inria.fr (Postfix, from userid 20132) id 5F4BD82717; Wed, 31 Jul 2019 14:05:59 +0200 (CEST) Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) by sympa.inria.fr (Postfix) with ESMTPS id 9544A826BB for ; Wed, 31 Jul 2019 14:05:55 +0200 (CEST) Authentication-Results: mail3-smtp-sop.national.inria.fr; spf=None smtp.pra=Xavier.Leroy@inria.fr; spf=Pass smtp.mailfrom=xavier.leroy@gmail.com; spf=None smtp.helo=postmaster@mail-vs1-f47.google.com IronPort-PHdr: =?us-ascii?q?9a23=3Ahuf23hLENYMcE/RMwdmcpTZWNBhigK39O0sv0rFi?= =?us-ascii?q?tYgeKPrxwZ3uMQTl6Ol3ixeRBMOHsqgC2red7/6ocFdDyK7JiGoFfp1IWk1Nou?= =?us-ascii?q?QttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZr?= =?us-ascii?q?KeTpAI7SiNm82/yv95HJbAhEmSSxbal2IRi2ogncucgbipZ+J6gszRfEvmFGcP?= =?us-ascii?q?lMy2NyIlKTkRf85sOu85Nm7i9dpfEv+dNeXKvjZ6g3QqBWAzogM2Au+c3krgLD?= =?us-ascii?q?QheV5nsdSWoZjBxFCBXY4R7gX5fxtiz6tvdh2CSfIMb7Q6w4VSik4qx2UxLjlj?= =?us-ascii?q?sJOCAl/2HWksxwjbxUoBS9pxxk3oXYZJiZOOdicq/BeN8XQ3dKUMRMWCxbGo6z?= =?us-ascii?q?YIUPAOgBM+hWrIfzukUAogelCAa2GO/i0CVFimPq0aA41ekqDAHI3BYnH9ILqH?= =?us-ascii?q?nbrc/6NLkTUe+r1qnD0DPNYO1M2Tf66InDbxcsrvCWUrJucMre11MvGxnDgFqO?= =?us-ascii?q?s4zlODOU2/8Ms2id9epgVPigh3QpqwFruzWiwNonhIfOhoIQ0F/E9CN5zZ40Jd?= =?us-ascii?q?2+VE50f9qkHIFMuCGdMot6WsciQm9uuCogzL0Jp4K7cS4Xw5ok3x7Sc+KLf5SM?= =?us-ascii?q?7x75V+ucIS10iGx4dL+9nRq//kqtx+vhXceuyllKtDBKktzUu3ANyRPT7s+HR+?= =?us-ascii?q?N4/ki72DaP0xnf6v9fIUwpjKbbJZEsz7wqmpoctkTDGSD2mEHog6OMakok/e2o?= =?us-ascii?q?5/zmYrXguJCcK5d5hh/iPqkqgMCyAuQ1PhIQU2SG++mwzrLu8E/hTLVPlPI2k6?= =?us-ascii?q?3ZsJ7AJcQco660GwBU3Zw96xa+ETimys4UnX0ZI1JffxKGj5PkO17LIP/iDPe/?= =?us-ascii?q?h06gnytsx/DDJrHhGInCLmDfkLf9erZw81JTxxA2zdBb/p5UDrABIOnvWkLqr9?= =?us-ascii?q?zZDho5MxSuzOr9CdV90JkeWWOVDaODPqPSqwzA2uV6adONb48cojq1FL4AobbM?= =?us-ascii?q?ink0ghVVKbOo1ps/YXa+E+RnKgOee3W60fkbFmJfjgMgTeHwwHmPSzlCLyKCVr?= =?us-ascii?q?w96yt9LI+8CpbrR4a3gbXH0j3tTc4eXXxPFl3ZSSSgTI6DQfpZLXvKepY8wAxB?= =?us-ascii?q?bqCoTsoa7T/rtAL+zOA6fO/d+yldq4m6kdYpuKvckhY98TEyBMOYgTnUHjNE21?= =?us-ascii?q?gQTjpz55hR5El0y1ONy6992qUKGtla5vcPWQA/Z8eFk75KTuvqUweERe+nDU68?= =?us-ascii?q?S4z+UzA3VNM4hdEUMR5w?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DFAgCDg0Fdhi/ZVdFlHQEBBQEHBQGBZ?= =?us-ascii?q?4JwFIEEKoQegR2OH4IPkn6ICQEDAQwnCAEBgUuFQxsHAQQ0EwEDAQEEAQECAQM?= =?us-ascii?q?DARMBAQEICwsIKYUlDII6KQGCZwEDAQEjMCYFCwsEBzcCAiISAQUBHAYTCIMaA?= =?us-ascii?q?YF7Dw+hHDyLIYEyhDMBCwEGAjsEAYNigUIGEoEii2CBVz+BEYJkLj6CYQECAYR?= =?us-ascii?q?qglgElCWIUo4VBwKBMmphhXuEczGIGRuYFpUQkCwPIYFGgXkzGidMMQaCNR+GF?= =?us-ascii?q?IRZhXxAMAGPUAEB?= X-IPAS-Result: =?us-ascii?q?A0DFAgCDg0Fdhi/ZVdFlHQEBBQEHBQGBZ4JwFIEEKoQegR2?= =?us-ascii?q?OH4IPkn6ICQEDAQwnCAEBgUuFQxsHAQQ0EwEDAQEEAQECAQMDARMBAQEICwsIK?= =?us-ascii?q?YUlDII6KQGCZwEDAQEjMCYFCwsEBzcCAiISAQUBHAYTCIMaAYF7Dw+hHDyLIYE?= =?us-ascii?q?yhDMBCwEGAjsEAYNigUIGEoEii2CBVz+BEYJkLj6CYQECAYRqglgElCWIUo4VB?= =?us-ascii?q?wKBMmphhXuEczGIGRuYFpUQkCwPIYFGgXkzGidMMQaCNR+GFIRZhXxAMAGPUAE?= =?us-ascii?q?B?= X-IronPort-AV: E=Sophos;i="5.64,330,1559512800"; d="scan'208,217";a="315252750" X-MGA-submission: =?us-ascii?q?MDGUd9jE4lrAfURt/Y8OBYFQi2U7l7fdjkHzp5?= =?us-ascii?q?lqvo+8d60c7dtib0zQFaTf1f3JpnREg0++EqEhhsnGl218Epn+2sv5lM?= =?us-ascii?q?YQxiLt7BJ7RbMWn+EoeUhd4czcEtOI/NL0ZceNYRXlK4e3f4u+dHacdA?= =?us-ascii?q?gM+Ih90I1DASCL88ArDdmq2Q=3D=3D?= Received: from mail-vs1-f47.google.com ([209.85.217.47]) by mail3-smtp-sop.national.inria.fr with ESMTP/TLS/AES128-GCM-SHA256; 31 Jul 2019 14:05:54 +0200 Received: by mail-vs1-f47.google.com with SMTP id 2so45918738vso.8 for ; Wed, 31 Jul 2019 05:05:54 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dy3huwbpHbzwjoPeFU71A9b+kZQMXx0mhpzxjjWC8WU=; b=F38GS0Z8s47kq3UFT+i56XTo3iNr3sZnRZOFlhiVS2dmWmA6SnKbtYfzLHy8GJsWDp cqwyv1FmeAMNtDJnGSLrCu6XTjFwicqm6Dr2zEZbD540gSmtLo2+pHk7Yu85uVJpQrLz rqFDC7VE2agZ2FgFjPGH7iYLvnxQX1MLIVbpxTeVqTd4N0X79gxaBKg5/AjruwvY1g5c c+jnRPaLd3g3mMOfi094O2IS2h8AKB8X7HmB/mS2j6QQhryRhsA2j3LaAw59nwBTy3ts 4+OKFPS9Pn/BrUW7AiIhwaYtJYz8WeMo97f3aQr8PQHgkGLHuNDdsM0m2ZXRLlZauecW ee0g== X-Gm-Message-State: APjAAAV3FSymWGkwFk6KyK2EK23D8XoYnfvWKH+RUiBDhcL4Xj0EmKFo lEVBpgpCZCeO453cAmn3io1G8qLzBoapjwFMUfk= X-Google-Smtp-Source: APXvYqxAuENdD4SYr7UGqj2nQcx+cF5ginMymV1B9sG+GFkCid2EOgN9k4EPncQEEGAwwDK37Kzzwu2f4Xuyxx3p0TM= X-Received: by 2002:a67:8701:: with SMTP id j1mr77730814vsd.199.1564574752829; Wed, 31 Jul 2019 05:05:52 -0700 (PDT) MIME-Version: 1.0 References: <20190725142821.hf524xbdgqcshrei@annexia.org> In-Reply-To: <20190725142821.hf524xbdgqcshrei@annexia.org> From: Xavier Leroy Date: Wed, 31 Jul 2019 14:05:26 +0200 Message-ID: To: "Richard W.M. Jones" Cc: caml users , nickc@redhat.com Content-Type: multipart/alternative; boundary="0000000000005df4d2058ef8f27c" Subject: Re: [Caml-list] Any plans for supporting Intel CET in OCaml? Reply-To: Xavier Leroy X-Loop: caml-list@inria.fr X-Sequence: 17721 Errors-to: caml-list-owner@inria.fr Precedence: list Precedence: bulk Sender: caml-list-request@inria.fr X-no-archive: yes List-Id: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --0000000000005df4d2058ef8f27c Content-Type: text/plain; charset="UTF-8" On Thu, Jul 25, 2019 at 4:28 PM Richard W.M. Jones wrote: > There's an effort to harden every binary in RHEL to protect against > ROP-style attacks. Of course this is mainly applicable when your > language is vulnerable to buffer overflows, but sadly even our OCaml > applications still link to some C libraries :-( > > I was looking into this and the indirect branch tracking (IBT) part > seems simple enough. For every indirect jump or call _target_ you > must insert one of the two instructions ENDBR64 or ENDBR32 (both are > NOP-like on older processors). The processor sets a flag when an > indirect jump is taken and #CP's if the indirect jump doesn't land on > one of these instructions. > Sounds like it should be easy to add to the OCaml x86-64 back-end. > > There's also some stuff with shadow stacks which looks a lot more > complicated and I didn't fully understand. The whole thing is > described in: > > > https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf > https://lwn.net/Articles/758245/ > > I don't understand how these shadow stacks are supposed to interact with exception handling, either Caml-style or C++/Java style. Kind regards, - Xavier Leroy > Unfortunately (but for obvious reasons) every asm object in a program > must be compiled with CET in order to enable the feature for the > program as a whole. This means that any mixed OCaml/C program can't > benefit from CET even in the C parts, unless we also support this in > the OCaml parts. > > Has anyone looked into supporting this kind of thing in the amd64 > backend? > > (I looked at the OCaml trunk and couldn't see any relevant commits, > but maybe I missed something in my grepping). > > Rich. > --0000000000005df4d2058ef8f27c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Thu, Jul 25, 2019 at 4:28 PM Richard W.M. Jones <rich@annexia.org> wrote:
There's an effort to harden ever= y binary in RHEL to protect against
ROP-style attacks.=C2=A0 Of course this is mainly applicable when your
language is vulnerable to buffer overflows, but sadly even our OCaml
applications still link to some C libraries :-(

I was looking into this and the indirect branch tracking (IBT) part
seems simple enough.=C2=A0 For every indirect jump or call _target_ you
must insert one of the two instructions ENDBR64 or ENDBR32 (both are
NOP-like on older processors).=C2=A0 The processor sets a flag when an
indirect jump is taken and #CP's if the indirect jump doesn't land = on
one of these instructions.

Sounds like = it should be easy to add to the OCaml x86-64 back-end.
=C2=A0=

There's also some stuff with shadow stacks which looks a lot more
complicated and I didn't fully understand.=C2=A0 The whole thing is
described in:

https://software.intel.com/sites/default/files/managed/4d/2a/contro= l-flow-enforcement-technology-preview.pdf
https://lwn.net/Articles/758245/


I don't understand how these shado= w stacks are supposed to interact with exception handling, either Caml-styl= e or C++/Java style.=C2=A0

Kind regards,

- Xavier Leroy
=C2=A0
Unfortunately (but for obvious reasons) every asm object in a program
must be compiled with CET in order to enable the feature for the
program as a whole.=C2=A0 This means that any mixed OCaml/C program can'= ;t
benefit from CET even in the C parts, unless we also support this in
the OCaml parts.

Has anyone looked into supporting this kind of thing in the amd64
backend?

(I looked at the OCaml trunk and couldn't see any relevant commits,
but maybe I missed something in my grepping).

Rich.
--0000000000005df4d2058ef8f27c--