diff options
| author | Alexandre Oliva <oliva@adacore.com> | 2021-10-28 00:51:02 -0300 |
|---|---|---|
| committer | Alexandre Oliva <oliva@gnu.org> | 2021-10-28 00:51:02 -0300 |
| commit | 95bb87b2458bfab4f8557a2dfdc867fb14305455 (patch) | |
| tree | f2631aca2523d8600de2182a5722c4d0b48f9100 /gcc/ada/doc | |
| parent | 5f9ef1339e9d0d709af6a70b60e584bf7decd761 (diff) | |
| download | gcc-95bb87b2458bfab4f8557a2dfdc867fb14305455.zip gcc-95bb87b2458bfab4f8557a2dfdc867fb14305455.tar.gz gcc-95bb87b2458bfab4f8557a2dfdc867fb14305455.tar.bz2 | |
hardened conditionals
This patch introduces optional passes to harden conditionals used in
branches, and in computing boolean expressions, by adding redundant
tests of the reversed conditions, and trapping in case of unexpected
results. Though in abstract machines the redundant tests should never
fail, CPUs may be led to misbehave under certain kinds of attacks,
such as of power deprivation, and these tests reduce the likelihood of
going too far down an unexpected execution path.
for gcc/ChangeLog
* common.opt (fharden-compares): New.
(fharden-conditional-branches): New.
* doc/invoke.texi: Document new options.
* gimple-harden-conditionals.cc: New.
* Makefile.in (OBJS): Build it.
* passes.def: Add new passes.
* tree-pass.h (make_pass_harden_compares): Declare.
(make_pass_harden_conditional_branches): Declare.
for gcc/ada/ChangeLog
* doc/gnat_rm/security_hardening_features.rst
(Hardened Conditionals): New.
for gcc/testsuite/ChangeLog
* c-c++-common/torture/harden-comp.c: New.
* c-c++-common/torture/harden-cond.c: New.
Diffstat (limited to 'gcc/ada/doc')
| -rw-r--r-- | gcc/ada/doc/gnat_rm/security_hardening_features.rst | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/gcc/ada/doc/gnat_rm/security_hardening_features.rst b/gcc/ada/doc/gnat_rm/security_hardening_features.rst index 1c46e3a4..52240d7 100644 --- a/gcc/ada/doc/gnat_rm/security_hardening_features.rst +++ b/gcc/ada/doc/gnat_rm/security_hardening_features.rst @@ -87,3 +87,43 @@ types and subtypes, may be silently ignored. Specifically, it is not currently recommended to rely on any effects this pragma might be expected to have when calling subprograms through access-to-subprogram variables. + + +.. Hardened Conditionals: + +Hardened Conditionals +===================== + +GNAT can harden conditionals to protect against control flow attacks. + +This is accomplished by two complementary transformations, each +activated by a separate command-line option. + +The option *-fharden-compares* enables hardening of compares that +compute results stored in variables, adding verification that the +reversed compare yields the opposite result. + +The option *-fharden-conditional-branches* enables hardening of +compares that guard conditional branches, adding verification of the +reversed compare to both execution paths. + +These transformations are introduced late in the compilation pipeline, +long after boolean expressions are decomposed into separate compares, +each one turned into either a conditional branch or a compare whose +result is stored in a boolean variable or temporary. Compiler +optimizations, if enabled, may also turn conditional branches into +stored compares, and vice-versa. Conditionals may also be optimized +out entirely, if their value can be determined at compile time, and +occasionally multiple compares can be combined into one. + +It is thus difficult to predict which of these two options will affect +a specific compare operation expressed in source code. Using both +options ensures that every compare that is not optimized out will be +hardened. + +The addition of reversed compares can be observed by enabling the dump +files of the corresponding passes, through command line options +*-fdump-tree-hardcmp* and *-fdump-tree-hardcbr*, respectively. + +They are separate options, however, because of the significantly +different performance impact of the hardening transformations. |