By: anon2 (anon.delete@this.anon.com), August 17, 2020 9:24 pm
Room: Moderated Discussions
Anon3 (anon3.delete@this.anon3.invalid) on August 17, 2020 5:34 pm wrote:
> Maynard Handley (name99.delete@this.name99.org) on August 17, 2020 4:34 pm wrote:
> > You are suggesting that jumping into the middle of a paid may be a security hole.
>
> I know it's a security hole. Both of the CFI mechanisms I mentioned bear more than a passing resemblance
> to a 2015 NSA paper called 'Hardware Control Flow Integrity (CFI) for an IT Ecosystem' I can't
> find the text online currently but I remember that it claimed a 70% reduction in gadgets in GLIBC
> by application of their proposal. I would not be at all surprised if the NSA strongly suggested
> to various companies that they should adopt something similar in to their ISAs.
>
> Obviously ARMv8 is fixed width so you don't have the jumping in to instructions
> issue but gadgets based on jumping to points which were not branch targets in the
> compiler intended control flow still exist, there are just fewer of them.
>
> > on the details of exactly how these pair instructions are implemented.
>
> It does not matter what the internal implementation is.
It absolutely does.
> It's a prefix opcode felling
> you to to decode the next opcode differently. Therefore there are now two different
> interpretations to the same opcode. This increases the gadget space.
No, not if you are prohibited from jumping into the middle of an instruction.
This can be done architecturally, by marking the suffix as such. Or micro-architecturally by pre-decoding and marking instruction boundaries, which is absolutely possible if you have alignment restrictions on prefix instruction crossings.
> Maynard Handley (name99.delete@this.name99.org) on August 17, 2020 4:34 pm wrote:
> > You are suggesting that jumping into the middle of a paid may be a security hole.
>
> I know it's a security hole. Both of the CFI mechanisms I mentioned bear more than a passing resemblance
> to a 2015 NSA paper called 'Hardware Control Flow Integrity (CFI) for an IT Ecosystem' I can't
> find the text online currently but I remember that it claimed a 70% reduction in gadgets in GLIBC
> by application of their proposal. I would not be at all surprised if the NSA strongly suggested
> to various companies that they should adopt something similar in to their ISAs.
>
> Obviously ARMv8 is fixed width so you don't have the jumping in to instructions
> issue but gadgets based on jumping to points which were not branch targets in the
> compiler intended control flow still exist, there are just fewer of them.
>
> > on the details of exactly how these pair instructions are implemented.
>
> It does not matter what the internal implementation is.
It absolutely does.
> It's a prefix opcode felling
> you to to decode the next opcode differently. Therefore there are now two different
> interpretations to the same opcode. This increases the gadget space.
No, not if you are prohibited from jumping into the middle of an instruction.
This can be done architecturally, by marking the suffix as such. Or micro-architecturally by pre-decoding and marking instruction boundaries, which is absolutely possible if you have alignment restrictions on prefix instruction crossings.
| Topic | Posted By | Date |
|---|---|---|
| IBM introduces POWER10 | Crystal S. Diamond | 2020/08/16 10:20 PM |
| "New ISA Prefix Fusion" | QAnon | 2020/08/16 11:21 PM |
| "New ISA Prefix Fusion" | Anon3 | 2020/08/17 06:59 AM |
| "New ISA Prefix Fusion" | Kevin G | 2020/08/17 10:51 AM |
| "New ISA Prefix Fusion" | Maynard Handley | 2020/08/17 11:51 AM |
| "New ISA Prefix Fusion" | Anon3 | 2020/08/17 04:10 PM |
| "New ISA Prefix Fusion" | Maynard Handley | 2020/08/17 04:34 PM |
| "New ISA Prefix Fusion" | Anon3 | 2020/08/17 05:34 PM |
| "New ISA Prefix Fusion" | Adrian | 2020/08/17 06:39 PM |
| "New ISA Prefix Fusion" | anon2 | 2020/08/17 09:24 PM |
| "New ISA Prefix Fusion" | Doug S | 2020/08/17 09:58 PM |
| "New ISA Prefix Fusion" | hobold | 2020/08/18 01:47 AM |
| "New ISA Prefix Fusion" | Michael S | 2020/08/18 04:48 AM |
| "New ISA Prefix Fusion" | hobold | 2020/08/18 11:58 AM |
| "New ISA Prefix Fusion" | dmcq | 2020/08/18 01:00 PM |
| "New ISA Prefix Fusion" | Michael S | 2020/08/18 01:48 PM |
| "New ISA Prefix Fusion" | hobold | 2020/08/18 02:29 PM |
| "New ISA Prefix Fusion" | Maynard Handley | 2020/08/18 03:46 PM |
| "New ISA Prefix Fusion" | Maynard Handley | 2020/08/18 03:42 PM |
| "New ISA Prefix Fusion" | anon2 | 2020/08/18 07:04 PM |
| "New ISA Prefix Fusion" | Maynard Handley | 2020/08/18 09:17 PM |
| "New ISA Prefix Fusion" | dmcq | 2020/08/19 04:08 AM |
| "New ISA Prefix Fusion" | Maynard Handley | 2020/08/19 10:02 AM |
| "New ISA Prefix Fusion" | dmcq | 2020/08/19 11:08 AM |
| "New ISA Prefix Fusion" | Maynard Handley | 2020/08/19 12:05 PM |
| "New ISA Prefix Fusion" | dmcq | 2020/08/19 02:14 PM |
| "New ISA Prefix Fusion" | Maynard Handley | 2020/08/19 02:44 PM |
| IBM introduces POWER10 | Thu | 2020/08/16 11:56 PM |
| IBM introduces POWER10 | Michael S | 2020/08/17 02:12 AM |
| IBM introduces POWER10 | Thu | 2020/08/17 03:27 AM |
| IBM introduces POWER10 | TransientStudent | 2020/08/17 04:23 AM |
| IBM introduces POWER10 | Rayla | 2020/08/17 04:29 AM |
| IBM introduces POWER10 | Maynard Handley | 2020/08/17 10:44 AM |
| IBM introduces POWER10 | Kevin G | 2020/08/17 10:57 AM |
| IBM introduces POWER10 | Rayla | 2020/08/17 04:26 AM |
| IBM introduces POWER10 | Thu | 2020/08/17 05:00 PM |
| Matrix Math Accelerator | Adrian | 2020/08/17 01:01 AM |
| Matrix Math Accelerator | Michael S | 2020/08/17 02:32 AM |
| Matrix Math Accelerator | Adrian | 2020/08/17 02:46 AM |
| Matrix Math Accelerator | j | 2020/08/18 02:32 AM |