Issue 1234393005: A mechanism to identify/forbid/"rewrite" non-temporal instructions (and other)

Issue 1234393005: A mechanism to identify/forbid/"rewrite" non-temporal instructions (and other) (Closed)

Created:
5 years, 5 months ago by ruiq

Modified:
5 years, 4 months ago

Reviewers:
gdeepti, Petr Hosek, Mark Seaborn, bradnelson, JF

CC:
native-client-reviews_googlegroups.com

Base URL:
https://chromium.googlesource.com/native_client/src/native_client.git@master

Target Ref:
refs/heads/master

Project:
nacl

Visibility:
Public.

More Reviews

Description

A mechanism to identify/forbid/"rewrite" non-temporal instructions (and other) For security reasons, the validator needs to identify certain instructions, then forbid or rewrite them based on further information. In this CL, we target non-temporal instructions, including non-temporal reads, writes, and prefetches. Specifically: 1) We mark non-temporal instructions in def files with an additional attribute "nacl-unsupported"; 2) The validator identifies instructions with "nacl-unsupported" attribute 3) Based on the flags passed in, the validator either forbids or "rewrites" the instruction. Note: -- the rewriting is to be implemented in a separate CL, and the current behavior is to leave the instruction as it is (i.e., as if it passes validation), which is consistent with the old behavior. -- the flags are currently derived from the "pnacl_mode" argument, which makes the validator disable non-temporal instructions under PNaCl. BUG=https://code.google.com/p/chromium/issues/detail?id=500026 R=jfb@chromium.org, mseaborn@chromium.org, phosek@chromium.org Committed: https://chromium.googlesource.com/native_client/src/native_client/+/f14a2194a8dd85de9304c94d8563e24b7cd45bff

Patch Set 1 #

Patch Set 2 : Pass in pnacl_mode instead of fixed value. #

Patch Set 3 : Fix x86-32 and MIPS #

Patch Set 4 : Renaming #

Total comments: 22

Patch Set 5 : Address code review comments #

Patch Set 6 : Format #

Patch Set 7 : Include prefetchnta as nacl-unsupported. #

Patch Set 8 : Update json file #

Patch Set 9 : Rebase #

Patch Set 10 : Fix test failures #

Patch Set 11 : Support pnacl mode for ncval #

Patch Set 12 : Update dfagentries and dfachecktries related #

Patch Set 13 : Update DEPS file #

Patch Set 14 : Format #

Patch Set 15 : Trivial fix #

Patch Set 16 : Trivial fix #

Total comments: 35

Patch Set 17 : Format #

Patch Set 18 : Update json file #

Patch Set 19 : Unintroducing pnacl_mode into validator #

Patch Set 20 : Fix initialization warnings; format etc. #

Total comments: 4

Patch Set 21 : Use 0 to represent normal validation in NaClValidationFlags #

Total comments: 3

Patch Set 22 : #

Patch Set 23 : #

Patch Set 24 : Add (ARCH)_VALIDATION_FLAGS_MASK #

Total comments: 4

Patch Set 25 : Fixing nits #

Total comments: 3

Created: 5 years, 4 months ago

(Patch set is too large to download)

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+6326 lines, -5822 lines)			Patch
M	DEPS	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	1 chunk	+1 line, -1 line	0 comments	Download
M	src/trusted/service_runtime/elf_util.c	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	1 chunk	+1 line, -0 lines	0 comments	Download
M	src/trusted/service_runtime/sel_validate_image.c	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	3 chunks	+3 lines, -0 lines	0 comments	Download
M	src/trusted/service_runtime/sys_memory.c	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	3 chunks	+3 lines, -0 lines	0 comments	Download
M	src/trusted/validator/build.scons	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	1 chunk	+15 lines, -0 lines	0 comments	Download
M	src/trusted/validator/driver/ncval.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	9 chunks	+42 lines, -13 lines	0 comments	Download
M	src/trusted/validator/ncvalidate.h	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	2 chunks	+9 lines, -0 lines	1 comment	Download
M	src/trusted/validator/validation_cache_test.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	2 chunks	+2 lines, -0 lines	0 comments	Download
A	src/trusted/validator/validation_disable_nontemporals_test.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	1 chunk	+80 lines, -0 lines	0 comments	Download
M	src/trusted/validator_arm/ncvalidate.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	1 chunk	+2 lines, -0 lines	1 comment	Download
M	src/trusted/validator_mips/ncvalidate.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	2 chunks	+3 lines, -0 lines	0 comments	Download
M	src/trusted/validator_ragel/build.scons	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	1 chunk	+2 lines, -0 lines	0 comments	Download
M	src/trusted/validator_ragel/def_format.py	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	1 chunk	+1 line, -0 lines	0 comments	Download
M	src/trusted/validator_ragel/dfa_validate_32.c	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	4 chunks	+7 lines, -4 lines	0 comments	Download
M	src/trusted/validator_ragel/dfa_validate_64.c	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	4 chunks	+7 lines, -4 lines	0 comments	Download
M	src/trusted/validator_ragel/dfa_validate_common.h	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	1 chunk	+10 lines, -4 lines	0 comments	Download
M	src/trusted/validator_ragel/dfa_validate_common.c	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	1 chunk	+16 lines, -6 lines	1 comment	Download
M	src/trusted/validator_ragel/dll_utils.c	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	1 chunk	+5 lines, -0 lines	0 comments	Download
M	src/trusted/validator_ragel/gen/protected_files.json	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	1 chunk	+5 lines, -5 lines	0 comments	Download
M	src/trusted/validator_ragel/gen/validator_x86_32.xml	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	68 chunks	+6052 lines, -5768 lines	0 comments	Download
M	src/trusted/validator_ragel/gen_dfa.py	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	1 chunk	+4 lines, -0 lines	0 comments	Download
M	src/trusted/validator_ragel/instruction_definitions/general_purpose_instructions.def	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	2 chunks	+2 lines, -2 lines	0 comments	Download
M	src/trusted/validator_ragel/instruction_definitions/mmx_instructions.def	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	1 chunk	+1 line, -1 line	0 comments	Download
M	src/trusted/validator_ragel/instruction_definitions/xmm_instructions.def	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	1 chunk	+18 lines, -12 lines	0 comments	Download
A	src/trusted/validator_ragel/nacl_unsupported_proof.py	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	1 chunk	+18 lines, -0 lines	0 comments	Download
M	src/trusted/validator_ragel/validator.h	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	2 chunks	+3 lines, -1 line	0 comments	Download
M	src/trusted/validator_ragel/validator.py	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	2 chunks	+6 lines, -1 line	0 comments	Download
M	src/trusted/validator_ragel/validator_x86_32.rl	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	1 chunk	+4 lines, -0 lines	0 comments	Download
M	src/trusted/validator_ragel/validator_x86_64.rl	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24	1 chunk	+4 lines, -0 lines	0 comments	Download

Messages

Total messages: 28 (2 generated)

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages

ruiq

https://codereview.chromium.org/1234393005/diff/30001/src/trusted/validator_ragel/def_format.py File src/trusted/validator_ragel/def_format.py (right): https://codereview.chromium.org/1234393005/diff/30001/src/trusted/validator_ragel/def_format.py#newcode294 src/trusted/validator_ragel/def_format.py:294: 'nacl-forbid-or-rewrite', I feel this name is more explicit than ...

5 years, 5 months ago (2015-07-19 19:20:34 UTC) #2

Petr Hosek

Could you please generate a new trie and compare it with the one which was ...

5 years, 5 months ago (2015-07-20 23:58:57 UTC) #3

ruiq

https://codereview.chromium.org/1234393005/diff/30001/src/trusted/validator_ragel/dfa_validate_common.c File src/trusted/validator_ragel/dfa_validate_common.c (right): https://codereview.chromium.org/1234393005/diff/30001/src/trusted/validator_ragel/dfa_validate_common.c#newcode40 src/trusted/validator_ragel/dfa_validate_common.c:40: struct ForbidRewriteCallbackData *data = callback_data; On 2015/07/20 23:58:57, Petr ...

5 years, 5 months ago (2015-07-21 00:39:44 UTC) #4

Petr Hosek

5 years, 5 months ago (2015-07-21 00:46:58 UTC) #5

ruiq

I will generate the new trie in a follow up patch set. https://codereview.chromium.org/1234393005/diff/30001/src/trusted/validator/build.scons File src/trusted/validator/build.scons ...

5 years, 5 months ago (2015-07-21 02:52:25 UTC) #6

gdeepti

https://codereview.chromium.org/1234393005/diff/150001/src/trusted/validator/driver/ncval.cc File src/trusted/validator/driver/ncval.cc (right): https://codereview.chromium.org/1234393005/diff/150001/src/trusted/validator/driver/ncval.cc#newcode216 src/trusted/validator/driver/ncval.cc:216: Bool result = (validation_info & (VALIDATION_ERRORS_MASK | BAD_JUMP_TARGET)) Why ...

5 years, 4 months ago (2015-07-28 03:08:58 UTC) #7

ruiq

5 years, 4 months ago (2015-07-28 04:58:55 UTC) #8

https://codereview.chromium.org/1234393005/diff/150001/src/trusted/validator/...
File src/trusted/validator/driver/ncval.cc (right):

https://codereview.chromium.org/1234393005/diff/150001/src/trusted/validator/...
src/trusted/validator/driver/ncval.cc:216: Bool result = (validation_info &
(VALIDATION_ERRORS_MASK | BAD_JUMP_TARGET))
On 2015/07/28 03:08:58, gdeepti wrote:
> Why BAD_JUMP_TARGET here? 

This is to be consistent with the handling in ProcessInstruction(), line 105.

https://codereview.chromium.org/1234393005/diff/150001/src/trusted/validator/...
File src/trusted/validator/validation_pnacl_mode_test.cc (right):

https://codereview.chromium.org/1234393005/diff/150001/src/trusted/validator/...
src/trusted/validator/validation_pnacl_mode_test.cc:57: // non-temporal writes.
In future, we will do rewriting.
On 2015/07/28 03:08:57, gdeepti wrote:
> Add a todo for rewriting. 

There is a TODO in the place where we should do rewriting
(src/trusted/validator_ragel/dfa_validate_common.c). My thought was that the
tests are for current code, would it be a bit misleading if we add a TODO which
is essentially "TOTEST"?

https://codereview.chromium.org/1234393005/diff/150001/src/trusted/validator/...
src/trusted/validator/validation_pnacl_mode_test.cc:60: EXPECT_EQ(0,
memcmp(code_buffer, movnti_code, MOVNTI_CODE_SIZE));
On 2015/07/28 03:08:58, gdeepti wrote:
> As we are not rewriting yet, seems redundant to check it here. Especially
since
> we should be rewriting in non PNaCl mode. Perhaps remove this and add details
to
> the TODO for the rewriting check that would be needed.  

This is a sanity check. It was added because the code is modifiable
(readonly_test = FALSE), and we want to make sure it's not modified in the user
callback (current validation does rewrite some CPU unsupported instructions to
HALT). Would it be better to keep this to capture possible mistakes, as it is
not that expensive?

https://codereview.chromium.org/1234393005/diff/150001/src/trusted/validator_...
File src/trusted/validator_ragel/validator.h (right):

https://codereview.chromium.org/1234393005/diff/150001/src/trusted/validator_...
src/trusted/validator_ragel/validator.h:99: UNSUPPORTED_INSTRUCTION =
0x04000000,
On 2015/07/28 03:08:58, gdeepti wrote:
> Fix alignment to be consistent with the rest of the mask values.

Done.

Petr Hosek

https://codereview.chromium.org/1234393005/diff/150001/src/trusted/service_runtime/elf_util.c File src/trusted/service_runtime/elf_util.c (right): https://codereview.chromium.org/1234393005/diff/150001/src/trusted/service_runtime/elf_util.c#newcode651 src/trusted/service_runtime/elf_util.c:651: nap->pnacl_mode, ditto https://codereview.chromium.org/1234393005/diff/150001/src/trusted/service_runtime/sel_validate_image.c File src/trusted/service_runtime/sel_validate_image.c (right): https://codereview.chromium.org/1234393005/diff/150001/src/trusted/service_runtime/sel_validate_image.c#newcode76 src/trusted/service_runtime/sel_validate_image.c:76: nap->pnacl_mode, ...

5 years, 4 months ago (2015-07-28 19:05:47 UTC) #9

Mark Seaborn

https://codereview.chromium.org/1234393005/diff/150001/src/trusted/validator/driver/ncval.cc File src/trusted/validator/driver/ncval.cc (right): https://codereview.chromium.org/1234393005/diff/150001/src/trusted/validator/driver/ncval.cc#newcode359 src/trusted/validator/driver/ncval.cc:359: while ((opt = getopt(argc, argv, "v")) != -1) { ...

5 years, 4 months ago (2015-07-28 20:44:03 UTC) #10

ruiq

5 years, 4 months ago (2015-07-28 21:34:56 UTC) #11

ruiq

https://codereview.chromium.org/1234393005/diff/150001/src/trusted/validator_ragel/dfa_validate_64.c File src/trusted/validator_ragel/dfa_validate_64.c (right): https://codereview.chromium.org/1234393005/diff/150001/src/trusted/validator_ragel/dfa_validate_64.c#newcode73 src/trusted/validator_ragel/dfa_validate_64.c:73: NaClDfaProcessValidationError, On 2015/07/28 19:05:46, Petr Hosek wrote: > Could ...

5 years, 4 months ago (2015-07-28 22:00:31 UTC) #12

ruiq

https://codereview.chromium.org/1234393005/diff/150001/src/trusted/validator_ragel/dfa_validate_32.c File src/trusted/validator_ragel/dfa_validate_32.c (right): https://codereview.chromium.org/1234393005/diff/150001/src/trusted/validator_ragel/dfa_validate_32.c#newcode42 src/trusted/validator_ragel/dfa_validate_32.c:42: struct StubOutCallbackData callback_data; On 2015/07/28 19:05:46, Petr Hosek wrote: ...

5 years, 4 months ago (2015-07-28 22:15:59 UTC) #13

Petr Hosek

Except for the two changes mentioned, I'm happy with the change. It's fine to stick ...

5 years, 4 months ago (2015-07-28 22:24:38 UTC) #14

ruiq

https://codereview.chromium.org/1234393005/diff/190001/src/trusted/validator/ncvalidate.h File src/trusted/validator/ncvalidate.h (right): https://codereview.chromium.org/1234393005/diff/190001/src/trusted/validator/ncvalidate.h#newcode25 src/trusted/validator/ncvalidate.h:25: NORMAL_VALIDATION, On 2015/07/28 22:24:38, Petr Hosek wrote: > I'd ...

5 years, 4 months ago (2015-07-28 22:45:36 UTC) #15

https://codereview.chromium.org/1234393005/diff/200001/src/trusted/validator_arm/ncvalidate.cc File src/trusted/validator_arm/ncvalidate.cc (right): https://codereview.chromium.org/1234393005/diff/200001/src/trusted/validator_arm/ncvalidate.cc#newcode153 src/trusted/validator_arm/ncvalidate.cc:153: UNREFERENCED_PARAMETER(flags); I'd rather CHECK(flags == 0);

5 years, 4 months ago (2015-07-29 00:08:02 UTC) #19

ruiq

5 years, 4 months ago (2015-07-29 00:14:17 UTC) #20

Mark Seaborn

5 years, 4 months ago (2015-07-29 00:31:39 UTC) #22

Petr Hosek

https://codereview.chromium.org/1234393005/diff/230001/src/trusted/validator/validation_disable_nontemporals_test.cc File src/trusted/validator/validation_disable_nontemporals_test.cc (right): https://codereview.chromium.org/1234393005/diff/230001/src/trusted/validator/validation_disable_nontemporals_test.cc#newcode2 src/trusted/validator/validation_disable_nontemporals_test.cc:2: * Copyright (c) 2015 The Native Client Authors. All ...

5 years, 4 months ago (2015-07-29 05:21:36 UTC) #23

ruiq

5 years, 4 months ago (2015-07-29 05:44:17 UTC) #24

Mark Seaborn

These comments could be addressed in a follow-on change (to avoid holding up this change): ...

5 years, 4 months ago (2015-07-29 16:09:23 UTC) #26

Mark Seaborn

Rubber-stamp LGTM for src/trusted/ (in order to cover src/trusted/validator_mips/)

5 years, 4 months ago (2015-07-29 16:24:44 UTC) #27

ruiq

5 years, 4 months ago (2015-07-29 16:52:46 UTC) #28

Message was sent while issue was closed.

Committed patchset #25 (id:240001) manually as
f14a2194a8dd85de9304c94d8563e24b7cd45bff (presubmit successful).

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages