From 1b2761efdfa651b39501af8cf67e26d78746362c Mon Sep 17 00:00:00 2001
From: an7s <an7s@git.zephyr-software.com>
Date: Tue, 2 May 2017 14:16:08 +0000
Subject: [PATCH] Add mitigation policy
Former-commit-id: 5029273231838b99ca2c7e798c68d2c92bb5865e
---
tools/transforms/PNTransformDriver.cpp | 6 +++---
tools/transforms/PNTransformDriver.hpp | 5 +++++
tools/transforms/Rewrite_Utility.cpp | 19 +++++++++++++++----
3 files changed, 23 insertions(+), 7 deletions(-)
diff --git a/tools/transforms/PNTransformDriver.cpp b/tools/transforms/PNTransformDriver.cpp
index b10f5ce25..6b10ce474 100644
--- a/tools/transforms/PNTransformDriver.cpp
+++ b/tools/transforms/PNTransformDriver.cpp
@@ -115,7 +115,7 @@ PNTransformDriver::PNTransformDriver(VariantID_t *pidp,string BED_script, pqxxDB
no_validation_level = -1;
coverage_threshold = -1;
do_shared_object_protection = false;
-
+ m_mitigation_policy = P_CONTROLLED_EXIT;
}
PNTransformDriver::~PNTransformDriver()
@@ -2388,7 +2388,7 @@ bool PNTransformDriver::Canary_Rewrite(PNStackLayout *orig_layout, Function_t *f
//This could probably be done once, but having the original instruction
//allows me to produce messages that indicate more precisely where
//the overflow occurred.
- Instruction_t *handler_code = getHandlerCode(virp,instr,P_CONTROLLED_EXIT);
+ Instruction_t *handler_code = getHandlerCode(virp,instr,GetMitigationPolicy());
//insert canary checks
//
@@ -2412,7 +2412,7 @@ bool PNTransformDriver::Canary_Rewrite(PNStackLayout *orig_layout, Function_t *f
//This could probably be done once, but having the original instruction
//allows me to produce messages that indicate more precisely where
//the overflow occurred.
- Instruction_t *handler_code = getHandlerCode(virp,instr,P_CONTROLLED_EXIT);
+ Instruction_t *handler_code = getHandlerCode(virp,instr,GetMitigationPolicy());
//insert canary checks
//
diff --git a/tools/transforms/PNTransformDriver.hpp b/tools/transforms/PNTransformDriver.hpp
index 73fabcad0..d57d5b098 100644
--- a/tools/transforms/PNTransformDriver.hpp
+++ b/tools/transforms/PNTransformDriver.hpp
@@ -100,6 +100,8 @@ class PNTransformDriver
// write stack objects to IRDB
bool write_stack_ir_to_db;
+ mitigation_policy m_mitigation_policy;
+
// a way to map an instruction to it's set of predecessors.
std::map< Instruction_t* , set<Instruction_t*> > preds;
@@ -182,6 +184,9 @@ public:
virtual void GenerateTransforms();
virtual void SetWriteStackIrToDb(bool setting) { write_stack_ir_to_db = setting; }
+
+ inline virtual mitigation_policy GetMitigationPolicy() const { return m_mitigation_policy; }
+ virtual void SetMitigationPolicy(mitigation_policy policy) { m_mitigation_policy = policy; }
};
#endif
diff --git a/tools/transforms/Rewrite_Utility.cpp b/tools/transforms/Rewrite_Utility.cpp
index 3a2a4e682..957333fb0 100644
--- a/tools/transforms/Rewrite_Utility.cpp
+++ b/tools/transforms/Rewrite_Utility.cpp
@@ -334,10 +334,21 @@ Instruction_t* getHandlerCode(FileIR_t* virp, Instruction_t* fallthrough, mitiga
else
{
assert(virp->GetArchitectureBitWidth()==64);
- handler_code= allocateNewInstruction(virp,fallthrough);
- setInstructionAssembly(virp,handler_code,"hlt",NULL,NULL);
- handler_code->SetComment("hlt ; Make this into a callback: jdh@getHandlerCode");
- handler_code->SetFallthrough(fallthrough);
+ if (policy == P_CONTROLLED_EXIT)
+ {
+ handler_code = allocateNewInstruction(virp,fallthrough);
+ setInstructionAssembly(virp,handler_code,"mov rdi, 189",NULL,NULL);
+ Instruction_t* syscall_num = insertAssemblyAfter(virp,handler_code,"mov rax, 60",NULL);
+ Instruction_t* syscall_i = insertAssemblyAfter(virp,syscall_num,"syscall",NULL);
+ syscall_i->SetFallthrough(fallthrough);
+ }
+ else
+ {
+ handler_code= allocateNewInstruction(virp,fallthrough);
+ setInstructionAssembly(virp,handler_code,"hlt",NULL,NULL);
+ handler_code->SetComment("hlt ; Make this into a callback: jdh@getHandlerCode");
+ handler_code->SetFallthrough(fallthrough);
+ }
}
return handler_code;
--
GitLab