update to separate jmps from fixed-calls and plt-dispatches. added options...

update to separate jmps from fixed-calls and plt-dispatches. added options --protect-calls and --no-protect-calls

update to separate jmps from fixed-calls and plt-dispatches. added options...
9a118ea0 · jdh8d · 479e0916 · 9a118ea0 · 9a118ea0 · 9a118ea0
Commit 9a118ea0 authored 8 years ago by jdh8d
--- a/SConscript
+++ b/SConscript
@@ -21,7 +21,7 @@ files=Glob( Dir('.').srcnode().abspath+"/*.cpp")
 pgm="selective_cfi.exe"

 LIBPATH="$SECURITY_TRANSFORMS_HOME/lib"
-LIBS=Split( env.subst('$BASE_IRDB_LIBS')+ "  IRDB-cfg IRDB-util transform rewrite MEDSannotation ") 
+LIBS=Split( env.subst('$BASE_IRDB_LIBS')+ "  IRDB-core IRDB-cfg IRDB-util transform rewrite MEDSannotation ") 
 myenv=myenv.Clone(CPPPATH=Split(cpppath))
 pgm=myenv.Program(pgm,  files,  LIBPATH=LIBPATH, LIBS=LIBS)
 install=myenv.Install("$SECURITY_TRANSFORMS_HOME/plugins_install/", pgm)

--- a/scfi_driver.cpp
+++ b/scfi_driver.cpp
@@ -38,6 +38,7 @@ void usage(char* name)
 	cerr<<" Usage: "<<name<<" <variant_id>  \n"
 "		[--color|--no-color]  \n"
 "		[--protect-jumps|--no-protect-jumps]  \n"
+"		[--protect-calls|--no-protect-calls]  \n"
 "		[--protect-rets|--no-protect-rets] \n"
 "		[--protect-safefn|--no-protect-safefn]  \n"
 "		[ --common-slow-path | --no-common-slow-path ] \n"
@@ -61,7 +62,8 @@ int main(int argc, char **argv)

 	bool do_coloring=false;
 	bool do_common_slow_path=true;
-	bool do_jumps=true;
+	bool do_jumps=false;
+	bool do_calls=true;
 	bool do_rets=true;
 	bool do_safefn=true;
 	for(int  i=2;i<argc;i++)
@@ -76,6 +78,16 @@ int main(int argc, char **argv)
 			cout<<"Not using coloring..."<<endl;
 			do_coloring=false;
 		}
+		else if(string(argv[i])=="--protect-calls")
+		{
+			cout<<"protecting calls..."<<endl;
+			do_calls=true;
+		}
+		else if(string(argv[i])=="--no-protect-calls")
+		{
+			cout<<"Not protecting calls..."<<endl;
+			do_calls=false;
+		}
 		else if(string(argv[i])=="--protect-jumps")
 		{
 			cout<<"protecting jumps..."<<endl;
@@ -152,7 +164,7 @@ int main(int argc, char **argv)

                try
                {
-			SCFI_Instrument scfii(firp, do_coloring, do_common_slow_path, do_jumps, do_rets, do_safefn);
+			SCFI_Instrument scfii(firp, do_coloring, do_common_slow_path, do_jumps, do_calls, do_rets, do_safefn);


 			int success=scfii.execute();

--- a/scfi_instr.cpp
+++ b/scfi_instr.cpp
@@ -404,8 +404,6 @@ void mov_reloc(Instruction_t* from, Instruction_t* to, string type )

 void SCFI_Instrument::AddJumpCFI(Instruction_t* insn)
 {
-	if(!do_jumps)
-		return;
 	assert(do_rets);
 	ColoredSlotValue_t v2;
 	if(insn->GetIBTargets() && color_map)
@@ -598,6 +596,32 @@ static void display_histogram(std::ostream& out, std::string attr_label, std::ma
 	}
 }

+bool SCFI_Instrument::is_plt_style_jmp(Instruction_t* insn) 
+{
+	DISASM d;
+	insn->Disassemble(d);
+	if((d.Argument1.ArgType&MEMORY_TYPE)==MEMORY_TYPE)
+	{
+		if(d.Argument1.Memory.BaseRegister == 0 && d.Argument1.Memory.IndexRegister == 0)  
+			return true;
+		return false;
+	}
+	return false;
+}
+
+bool SCFI_Instrument::is_jmp_a_fixed_call(Instruction_t* insn) 
+{
+	if(preds[insn].size()!=1)
+		return false;
+
+	Instruction_t* pred=*(preds[insn].begin());
+	assert(pred);
+
+	if(pred->GetDataBits()[0]==0x68)
+		return true;
+	return false;
+}
+
 bool SCFI_Instrument::instrument_jumps() 
 {
 	int cfi_checks=0;
@@ -607,12 +631,14 @@ bool SCFI_Instrument::instrument_jumps()
 	int cfi_branch_call_complete=0;
 	int cfi_branch_ret_checks=0;
 	int cfi_branch_ret_complete=0;
-	int	cfi_safefn_jmp_skipped=0;
-	int	cfi_safefn_ret_skipped=0;
+	int cfi_safefn_jmp_skipped=0;
+	int cfi_safefn_ret_skipped=0;
 	int ibt_complete=0;
 	double cfi_branch_jmp_complete_ratio = NAN;
+	double cfi_branch_call_complete_ratio = NAN;
 	double cfi_branch_ret_complete_ratio = NAN;

+	std::map<int, int> calls;
 	std::map<int, int> jmps;
 	std::map<int, int> rets;

@@ -642,27 +668,48 @@ bool SCFI_Instrument::instrument_jumps()
 		switch(d.Instruction.BranchType)
 		{
 			case  JmpType:
-				if((d.Argument1.ArgType&MEMORY_TYPE)==MEMORY_TYPE)
+				if((d.Argument1.ArgType&CONSTANT_TYPE)!=CONSTANT_TYPE)
 				{
-					if (insn->GetIBTargets() && insn->GetIBTargets()->IsComplete())
+					bool is_fixed_call=is_jmp_a_fixed_call(insn);
+					bool is_plt_style=is_plt_style_jmp(insn);
+					bool is_any_call_style = (is_fixed_call || is_plt_style);
+					if(do_jumps && !is_any_call_style)
 					{
-						cfi_branch_jmp_complete++;
-						jmps[insn->GetIBTargets()->size()]++;
-					}
+						if (insn->GetIBTargets() && insn->GetIBTargets()->IsComplete())
+						{
+							cfi_branch_jmp_complete++;
+							jmps[insn->GetIBTargets()->size()]++;
+						}

-/*
-    @FIXME @TODO Take care of indirect jumps
-					if (!do_safefn && safefn)
-					{
-						cfi_safefn_jmp_skipped++;
-						continue;
+						cfi_checks++;
+						cfi_branch_jmp_checks++;
+
+						AddJumpCFI(insn);
 					}
-*/
+					else if(do_calls && is_any_call_style)
+					{
+						if (insn->GetIBTargets() && insn->GetIBTargets()->IsComplete())
+						{
+							cfi_branch_call_complete++;
+							calls[insn->GetIBTargets()->size()]++;
+						}

-					cfi_checks++;
-					cfi_branch_jmp_checks++;
-					AddJumpCFI(insn);
+						cfi_checks++;
+						cfi_branch_call_checks++;
+
+						AddJumpCFI(insn);
+					}
+					else 
+					{	
+						cout<<"Eliding protection for "<<insn->getDisassembly()<<std::boolalpha
+							<<" is_fixed_call="<<is_fixed_call
+							<<" is_plt_style="<<is_plt_style
+							<<" is_any_call_style="<<is_any_call_style
+							<<" do_jumps="<<do_jumps
+							<<" do_calls="<<do_calls<<endl;
+					}
 				}
+	
 				break;

 			case  CallType:
@@ -702,13 +749,12 @@ bool SCFI_Instrument::instrument_jumps()
 	
 	cout<<"# ATTRIBUTE cfi_jmp_checks="<<std::dec<<cfi_branch_jmp_checks<<endl;
 	cout<<"# ATTRIBUTE cfi_jmp_complete="<<cfi_branch_jmp_complete<<endl;
-
 	display_histogram(cout, "cfi_jmp_complete_histogram", jmps);

-/*
 	cout<<"# ATTRIBUTE cfi_branch_call_checks="<<std::dec<<cfi_branch_call_checks<<endl;
 	cout<<"# ATTRIBUTE cfi_branch_call_complete="<<std::dec<<cfi_branch_call_complete<<endl;
-*/
+	display_histogram(cout, "cfi_call_complete_histogram", calls);
+
 	cout<<"# ATTRIBUTE cfi_ret_checks="<<std::dec<<cfi_branch_ret_checks<<endl;
 	cout<<"# ATTRIBUTE cfi_ret_complete="<<std::dec<<cfi_branch_ret_complete<<endl;
 	display_histogram(cout, "cfi_ret_complete_histogram", rets);
@@ -720,6 +766,9 @@ bool SCFI_Instrument::instrument_jumps()
 	if (cfi_branch_jmp_checks > 0) 
 		cfi_branch_jmp_complete_ratio = (double)cfi_branch_jmp_complete / cfi_branch_jmp_checks;

+	if (cfi_branch_call_checks > 0) 
+		cfi_branch_call_complete_ratio = (double)cfi_branch_call_complete / cfi_branch_call_checks;
+
 	if (cfi_branch_ret_checks > 0) 
 		cfi_branch_ret_complete_ratio = (double)cfi_branch_ret_complete / cfi_branch_ret_checks;

@@ -729,7 +778,7 @@ bool SCFI_Instrument::instrument_jumps()
 	

 	cout << "# ATTRIBUTE cfi_jmp_complete_ratio=" << cfi_branch_jmp_complete_ratio << endl;
-
+	cout << "# ATTRIBUTE cfi_call_complete_ratio=" << cfi_branch_call_complete_ratio << endl;
 	cout << "# ATTRIBUTE cfi_ret_complete_ratio=" << cfi_branch_ret_complete_ratio << endl;
 	cout << "# ATTRIBUTE cfi_complete_ratio=" << cfi_branch_ret_complete_ratio << endl;


--- a/scfi_instr.hpp
+++ b/scfi_instr.hpp
@@ -22,7 +22,10 @@
 #define scfi_instrument_hpp

 #include <libIRDB-core.hpp>
+#include <libIRDB-util.hpp>
 #include "color_map.hpp"
+#include <iostream>
+#include <iomanip>



@@ -32,16 +35,28 @@ class SCFI_Instrument
 		SCFI_Instrument(libIRDB::FileIR_t *the_firp, 
 				bool p_do_coloring=true,
 				bool p_do_common_slow_path=true,
-				bool p_do_jumps=true,
+				bool p_do_jumps=false,
+				bool p_do_calls=true,
 				bool p_do_rets=true,
 				bool p_do_safefn=true) 
 			: firp(the_firp), 
 			  do_coloring(p_do_coloring), 
 			  do_common_slow_path(p_do_common_slow_path), 
 			  do_jumps(p_do_jumps), 
+			  do_calls(p_do_calls), 
 			  do_rets(p_do_rets), 
 			  do_safefn(p_do_safefn), 
-			  color_map(NULL) {}
+			  color_map(NULL) 
+		{ 
+			std::cout<<std::boolalpha;
+			std::cout<<"#ATTRIBUTE do_coloring="<<p_do_coloring<<std::endl;
+			std::cout<<"#ATTRIBUTE do_common_slow_path="<<p_do_common_slow_path<<std::endl;
+			std::cout<<"#ATTRIBUTE do_jumps="<<p_do_jumps<<std::endl;
+			std::cout<<"#ATTRIBUTE do_calls="<<p_do_calls<<std::endl;
+			std::cout<<"#ATTRIBUTE do_rets="<<p_do_rets<<std::endl;
+			std::cout<<"#ATTRIBUTE do_safefn="<<p_do_safefn<<std::endl;
+			preds.AddFile(the_firp); 
+		}
 		bool execute();

 	private:
@@ -55,6 +70,10 @@ class SCFI_Instrument
 		libIRDB::Relocation_t* create_reloc(libIRDB::Instruction_t* insn);
 		libIRDB::Relocation_t* FindRelocation(libIRDB::Instruction_t* insn, std::string type);
 		bool isSafeFunction(libIRDB::Instruction_t* insn);
+		bool is_jmp_a_fixed_call(libIRDB::Instruction_t* insn);
+		bool is_plt_style_jmp(libIRDB::Instruction_t* insn);
+
+

 		// add instrumentation
 		bool add_scfi_instrumentation(libIRDB::Instruction_t* insn);
@@ -72,12 +91,14 @@ class SCFI_Instrument
 		unsigned int GetNonceOffset(libIRDB::Instruction_t*);


-
+		// predecessors of instructions.
+		libIRDB::InstructionPredecessors_t preds;
 	
 		libIRDB::FileIR_t* firp;
 		bool do_coloring;
 		bool do_common_slow_path;
 		bool do_jumps;
+		bool do_calls;
 		bool do_rets;
 		bool do_safefn;
 		ColoredInstructionNonces_t *color_map;