By: Doug S (foo.delete@this.bar.bar), August 17, 2020 9:58 pm
Room: Moderated Discussions
anon2 (anon.delete@this.anon.com) on August 17, 2020 9:24 pm wrote:
> Anon3 (anon3.delete@this.anon3.invalid) on August 17, 2020 5:34 pm wrote:
> > Maynard Handley (name99.delete@this.name99.org) on August 17, 2020 4:34 pm wrote:
> > > You are suggesting that jumping into the middle of a paid may be a security hole.
> >
> > I know it's a security hole. Both of the CFI mechanisms I mentioned bear more than a passing resemblance
> > to a 2015 NSA paper called 'Hardware Control Flow Integrity (CFI) for an IT Ecosystem' I can't
> > find the text online currently but I remember that it claimed a 70% reduction in gadgets in GLIBC
> > by application of their proposal. I would not be at all surprised if the NSA strongly suggested
> > to various companies that they should adopt something similar in to their ISAs.
> >
> > Obviously ARMv8 is fixed width so you don't have the jumping in to instructions
> > issue but gadgets based on jumping to points which were not branch targets in the
> > compiler intended control flow still exist, there are just fewer of them.
> >
> > > on the details of exactly how these pair instructions are implemented.
> >
> > It does not matter what the internal implementation is.
>
> It absolutely does.
>
> > It's a prefix opcode felling
> > you to to decode the next opcode differently. Therefore there are now two different
> > interpretations to the same opcode. This increases the gadget space.
>
> No, not if you are prohibited from jumping into the middle of an instruction.
>
> This can be done architecturally, by marking the suffix as such. Or micro-architecturally
> by pre-decoding and marking instruction boundaries, which is absolutely possible
> if you have alignment restrictions on prefix instruction crossings.
They expanded to two word instructions because all the opcode slots in a single word were taken. I don't know the format of POWER instructions, but let's say it was the upper 7 bits. I assume one of those instructions is a no-op. If that's the case, then they could define the second word extension such that the upper 7 bits contain the 'no-op' instruction and have the actual opcode somewhere in the remaining 25 bits.
> Anon3 (anon3.delete@this.anon3.invalid) on August 17, 2020 5:34 pm wrote:
> > Maynard Handley (name99.delete@this.name99.org) on August 17, 2020 4:34 pm wrote:
> > > You are suggesting that jumping into the middle of a paid may be a security hole.
> >
> > I know it's a security hole. Both of the CFI mechanisms I mentioned bear more than a passing resemblance
> > to a 2015 NSA paper called 'Hardware Control Flow Integrity (CFI) for an IT Ecosystem' I can't
> > find the text online currently but I remember that it claimed a 70% reduction in gadgets in GLIBC
> > by application of their proposal. I would not be at all surprised if the NSA strongly suggested
> > to various companies that they should adopt something similar in to their ISAs.
> >
> > Obviously ARMv8 is fixed width so you don't have the jumping in to instructions
> > issue but gadgets based on jumping to points which were not branch targets in the
> > compiler intended control flow still exist, there are just fewer of them.
> >
> > > on the details of exactly how these pair instructions are implemented.
> >
> > It does not matter what the internal implementation is.
>
> It absolutely does.
>
> > It's a prefix opcode felling
> > you to to decode the next opcode differently. Therefore there are now two different
> > interpretations to the same opcode. This increases the gadget space.
>
> No, not if you are prohibited from jumping into the middle of an instruction.
>
> This can be done architecturally, by marking the suffix as such. Or micro-architecturally
> by pre-decoding and marking instruction boundaries, which is absolutely possible
> if you have alignment restrictions on prefix instruction crossings.
They expanded to two word instructions because all the opcode slots in a single word were taken. I don't know the format of POWER instructions, but let's say it was the upper 7 bits. I assume one of those instructions is a no-op. If that's the case, then they could define the second word extension such that the upper 7 bits contain the 'no-op' instruction and have the actual opcode somewhere in the remaining 25 bits.
| Topic | Posted By | Date |
|---|---|---|
| IBM introduces POWER10 | Crystal S. Diamond | 2020/08/16 10:20 PM |
| "New ISA Prefix Fusion" | QAnon | 2020/08/16 11:21 PM |
| "New ISA Prefix Fusion" | Anon3 | 2020/08/17 06:59 AM |
| "New ISA Prefix Fusion" | Kevin G | 2020/08/17 10:51 AM |
| "New ISA Prefix Fusion" | Maynard Handley | 2020/08/17 11:51 AM |
| "New ISA Prefix Fusion" | Anon3 | 2020/08/17 04:10 PM |
| "New ISA Prefix Fusion" | Maynard Handley | 2020/08/17 04:34 PM |
| "New ISA Prefix Fusion" | Anon3 | 2020/08/17 05:34 PM |
| "New ISA Prefix Fusion" | Adrian | 2020/08/17 06:39 PM |
| "New ISA Prefix Fusion" | anon2 | 2020/08/17 09:24 PM |
| "New ISA Prefix Fusion" | Doug S | 2020/08/17 09:58 PM |
| "New ISA Prefix Fusion" | hobold | 2020/08/18 01:47 AM |
| "New ISA Prefix Fusion" | Michael S | 2020/08/18 04:48 AM |
| "New ISA Prefix Fusion" | hobold | 2020/08/18 11:58 AM |
| "New ISA Prefix Fusion" | dmcq | 2020/08/18 01:00 PM |
| "New ISA Prefix Fusion" | Michael S | 2020/08/18 01:48 PM |
| "New ISA Prefix Fusion" | hobold | 2020/08/18 02:29 PM |
| "New ISA Prefix Fusion" | Maynard Handley | 2020/08/18 03:46 PM |
| "New ISA Prefix Fusion" | Maynard Handley | 2020/08/18 03:42 PM |
| "New ISA Prefix Fusion" | anon2 | 2020/08/18 07:04 PM |
| "New ISA Prefix Fusion" | Maynard Handley | 2020/08/18 09:17 PM |
| "New ISA Prefix Fusion" | dmcq | 2020/08/19 04:08 AM |
| "New ISA Prefix Fusion" | Maynard Handley | 2020/08/19 10:02 AM |
| "New ISA Prefix Fusion" | dmcq | 2020/08/19 11:08 AM |
| "New ISA Prefix Fusion" | Maynard Handley | 2020/08/19 12:05 PM |
| "New ISA Prefix Fusion" | dmcq | 2020/08/19 02:14 PM |
| "New ISA Prefix Fusion" | Maynard Handley | 2020/08/19 02:44 PM |
| IBM introduces POWER10 | Thu | 2020/08/16 11:56 PM |
| IBM introduces POWER10 | Michael S | 2020/08/17 02:12 AM |
| IBM introduces POWER10 | Thu | 2020/08/17 03:27 AM |
| IBM introduces POWER10 | TransientStudent | 2020/08/17 04:23 AM |
| IBM introduces POWER10 | Rayla | 2020/08/17 04:29 AM |
| IBM introduces POWER10 | Maynard Handley | 2020/08/17 10:44 AM |
| IBM introduces POWER10 | Kevin G | 2020/08/17 10:57 AM |
| IBM introduces POWER10 | Rayla | 2020/08/17 04:26 AM |
| IBM introduces POWER10 | Thu | 2020/08/17 05:00 PM |
| Matrix Math Accelerator | Adrian | 2020/08/17 01:01 AM |
| Matrix Math Accelerator | Michael S | 2020/08/17 02:32 AM |
| Matrix Math Accelerator | Adrian | 2020/08/17 02:46 AM |
| Matrix Math Accelerator | j | 2020/08/18 02:32 AM |