Doug S (foo.delete@this.bar.bar) on August 17, 2020 9:58 pm wrote:
> anon2 (anon.delete@this.anon.com) on August 17, 2020 9:24 pm wrote:
> > Anon3 (anon3.delete@this.anon3.invalid) on August 17, 2020 5:34 pm wrote:
> > > Maynard Handley (name99.delete@this.name99.org) on August 17, 2020 4:34 pm wrote:
> > > > You are suggesting that jumping into the middle of a paid may be a security hole.
> > >
> > > I know it's a security hole. Both of the CFI mechanisms I mentioned bear more than a passing resemblance
> > > to a 2015 NSA paper called 'Hardware Control Flow Integrity (CFI) for an IT Ecosystem' I can't
> > > find the text online currently but I remember that it claimed a 70% reduction in gadgets in GLIBC
> > > by application of their proposal. I would not be at all surprised if the NSA strongly suggested
> > > to various companies that they should adopt something similar in to their ISAs.
> > >
> > > Obviously ARMv8 is fixed width so you don't have the jumping in to instructions
> > > issue but gadgets based on jumping to points which were not branch targets in the
> > > compiler intended control flow still exist, there are just fewer of them.
> > >
> > > > on the details of exactly how these pair instructions are implemented.
> > >
> > > It does not matter what the internal implementation is.
> >
> > It absolutely does.
> >
> > > It's a prefix opcode felling
> > > you to to decode the next opcode differently. Therefore there are now two different
> > > interpretations to the same opcode. This increases the gadget space.
> >
> > No, not if you are prohibited from jumping into the middle of an instruction.
> >
> > This can be done architecturally, by marking the suffix as such. Or micro-architecturally
> > by pre-decoding and marking instruction boundaries, which is absolutely possible
> > if you have alignment restrictions on prefix instruction crossings.
>
>
> They expanded to two word instructions because all the opcode slots in a single word were taken. I don't
> know the format of POWER instructions, but let's say it was the upper 7 bits. I assume one of those instructions
> is a no-op. If that's the case, then they could define the second word extension such that the upper 7 bits
> contain the 'no-op' instruction and have the actual opcode somewhere in the remaining 25 bits.

It does not work like that.

1.6.3 Instruction Prefix Formats
Prefixed instructions consist of a 4-byte prefix followed by a 4-byte suffix. The prefix formats are specified below. The suffix formats share the same formats as word instructions, as specified in Section 1.6.1 on page 12.
Bits 0:5 of all prefixes are assigned the primary opcode value 0b000001 . 0b000001 is not available for use as a primary opcode for either word instructions or suffixes of prefixed instructions.
Prefix bits 6:7 are used to identify one of four prefix format types. When bit 6 is set to 0 (prefix types 00 and 01 ), the suffix is not a defined word instruction (i.e., requires the prefix to identify the alternate opcode space the suffix is assigned to as well as additional or
extended operand and/or control fields); when bit 6 is set to 1 (prefix types 10 and 11 ), the prefix is modifying the behavior of a defined word instruction in the suffix.

You see, when bit 6 is set to 1, the following word is by design always a legal instruction.

BTW, Power ISA™ Version 3.1 manual is here https://ibm.ent.box.com/s/hhjfw0x0lrbtyzmiaffnbxh2fuo0fog0