Maynard Handley (name99.delete@this.name99.org) on August 17, 2020 4:34 pm wrote:
> You are suggesting that jumping into the middle of a paid may be a security hole.

I know it's a security hole. Both of the CFI mechanisms I mentioned bear more than a passing resemblance to a 2015 NSA paper called 'Hardware Control Flow Integrity (CFI) for an IT Ecosystem' I can't find the text online currently but I remember that it claimed a 70% reduction in gadgets in GLIBC by application of their proposal. I would not be at all surprised if the NSA strongly suggested to various companies that they should adopt something similar in to their ISAs.

Obviously ARMv8 is fixed width so you don't have the jumping in to instructions issue but gadgets based on jumping to points which were not branch targets in the compiler intended control flow still exist, there are just fewer of them.

> on the details of exactly how these pair instructions are implemented.

It does not matter what the internal implementation is. It's a prefix opcode felling you to to decode the next opcode differently. Therefore there are now two different interpretations to the same opcode. This increases the gadget space.

> x86 has this as a security problem because they promise that jumping into such an instruction stream
> will work.

The processor cannot know where the instruction boundaries are without decoding from the target of a branch and some x86 instructions are one byte thus it's a fundamental property of the ISA (without CFI) that you must be able to jump to any address.


> IBM has less of a problem if they don't make that promise.

Without CFI the processor has no clue what the intended control flow is. It simply can't know that it is jumping to an address containing an opcode which is meant (by the programmer/compiler) to be subject to a prefix. As the entire point of the prefix system is to reuse opcode space it's highly likely the that such an opcode will be valid and execute.