Closed
Bug 729824
Opened 13 years ago
Closed 7 years ago
Land JIT hardening nop insertion
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: cdleary, Unassigned)
References
Details
(Keywords: parity-edge, sec-want)
Attachments
(3 files)
15.34 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
21.62 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
32.18 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
Initial RNG patch cleans up the kind of gross randomization reuse from the prior patch and makes a centralized RNG for JIT hardening in the JSRuntime that can be seeded at program startup.
Attachment #599855 -
Flags: review?(dvander)
Updated•13 years ago
|
Attachment #599855 -
Flags: review?(dvander) → review+
Reporter | ||
Comment 1•13 years ago
|
||
Patches 1 and 2 were just rebased from dmandelin's reviews -- this lets us seed the hardening via a shell option for maximum reproducibility WRT try failures. I also fixed some of the uses of print-like-a-function in jit-tests.py because it bugged me. :-)
Attachment #599859 -
Flags: review?(dvander)
Updated•13 years ago
|
Attachment #599859 -
Flags: review?(dvander) → review+
Reporter | ||
Comment 2•13 years ago
|
||
Simple change, but different enough it probably needs an r+ to land.
Attachment #600213 -
Flags: review?(dvander)
Comment on attachment 600213 [details] [diff] [review]
2.5. Use the RNG as the hardening enabler.
Review of attachment 600213 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/assembler/assembler/MacroAssemblerX86.h
@@ +220,5 @@
>
> Jump branchPtrWithPatch(Condition cond, RegisterID left, DataLabelPtr& dataLabel, ImmPtr initialRightValue = ImmPtr(0))
> {
> {
> + AutoUnharden au(this);
Do these calls need to appear in relevant places in X64.h and the ARM macro assembler?
Attachment #600213 -
Flags: review?(dvander) → review+
Comment 4•12 years ago
|
||
Mass-reassigning cdleary's bugs to default. He won't work on any of them, anymore. I guess, at least.
@cdleary: shout if you take issue with this.
Assignee: cdleary → general
Status: ASSIGNED → NEW
Assignee | ||
Updated•10 years ago
|
Assignee: general → nobody
Updated•9 years ago
|
Blocks: JITHardening
No longer depends on: JITHardening
Comment 5•7 years ago
|
||
I don't think NOP Insertion is valuable enough to implement, as it can be bypassed readily. If anyone wants to debate about, feel free to comment or re-open.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
Comment 6•7 years ago
|
||
See Also: https://github.com/Microsoft/ChakraCore/blob/39f7ce4f882088d05f87e4eb32fa60e5b2dabaad/lib/Backend/Security.cpp#L163
Chakra's InsertNops
Keywords: parity-edge
Comment 7•7 years ago
|
||
FWIW, we use nop insertion for fuzzing (as it tends to find bugs related to branch targeting, incorrectly not-fused code sequences, and so on); the ARM back-end implements support for it, though probably not elaborate enough for JIT hardening.
You need to log in
before you can comment on or make changes to this bug.
Description
•