LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

A perf ABI fix

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Re: Adding diversity for security (and testing)

[Posted August 28, 2013 by jake]

From:  Stephen Crane <sjcrane-AT-uci.edu>
To:  Nadav Rotem <nrotem-AT-apple.com>
Subject:  Re: Adding diversity for security (and testing)
Date:  Mon, 26 Aug 2013 13:38:29 -0700
Message-ID:  <521BBCC5.6060305@uci.edu>
Cc:  Per Larsen <perl-AT-uci.edu>, stefan brunthaler <s.brunthaler-AT-uci.edu>, Andrei Homescu <ahomescu-AT-uci.edu>, LLVM Developers Mailing List <llvmdev-AT-cs.uiuc.edu>
Archive-link:  Article, Thread 

Hi Nadav,

Thanks for your interest!


On 08/26/2013 11:51 AM, Nadav Rotem wrote:
> Which scheduler did you modify ? The plan is to disable the 
> SelectionDAG scheduler and move to the MI Scheduler soon. Also, have 
> you looked at randomizing register-allocation ?
Yes, we modified the SelectionDAG scheduler. This was before the MI 
scheduler was around, but we will look into porting our ideas over to 
the new scheduler.

Register allocation randomization is in fact another of our existing 
transformations. We thought we would propose just a few simple 
transforms initially, but we can certainly include register 
randomization as well if there is enough interest.

>> We would also include a secure random number generator which links
>> against OpenSSL. This would of course be an optional module disabled
>> by default, but is necessary so the randomization is cryptographically
>> secure and useful in security applications.
> I am not sure why you need this feature.   You can provide LLVM with a SEED value that can be
controlled from the command line.  A wrapper (such as a build-script) can control this value.
We do in fact seed the RNG with a command line parameter (we reuse the 
-frandom-seed param that gcc implemented). However, we need some 
reproducible, cryptographically secure source of randomness for the each 
random decision made during our transformations. We have found that the 
system randomness (/dev/random) is insufficient for this purpose since 
reproducible builds (given the secret seed) are preferable. The only way 
to provide this reproducible stream of randomness is to have a 
process-specific RNG, which we implement on top of OpenSSL for simplicity.

> Please make sure that the LLVM nightly test suite passes with 
> randomization enabled.

Of course. Our patched version currently passes the existing test suite 
on x86_64, and after adding additional tests we will certainly make sure 
that the final patch passes the latest test suite.


Thanks,
Stephen
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds