| OLD | NEW |
|---|
| (Empty) | |
| 1 //===-- MinSFI.cpp - Lists MinSFI sandboxing passes -----------------------===// |
| 2 // |
| 3 // The LLVM Compiler Infrastructure |
| 4 // |
| 5 // This file is distributed under the University of Illinois Open Source |
| 6 // License. See LICENSE.TXT for details. |
| 7 // |
| 8 //===----------------------------------------------------------------------===// |
| 9 // |
| 10 // This file implements the meta-pass "-minsfi". It lists its constituent |
| 11 // passes and explains the reasons for their ordering. |
| 12 // |
| 13 //===----------------------------------------------------------------------===// |
| 14 |
| 15 #include "llvm/PassManager.h" |
| 16 #include "llvm/Analysis/NaCl.h" |
| 17 #include "llvm/Transforms/MinSFI.h" |
| 18 |
| 19 using namespace llvm; |
| 20 |
| 21 void llvm::MinSFIPasses(PassManagerBase &PM) { |
| 22 // Nondeterminism is generally undesirable in sandboxed code but more |
| 23 // importantly, use of undefined values can leak protected data. This pass |
| 24 // replaces all undefs with predefined constants. It only modifies operands |
| 25 // of instructions and therefore is not dependent on any other MinSFI or |
| 26 // PNaCl passes. |
| 27 PM.add(createSubstituteUndefsPass()); |
| 28 |
| 29 // Most MinSFI passes rely on the safety properties guaranteed by the PNaCl |
| 30 // bitcode format. We run the PNaCl ABI verifier to make sure these hold. |
| 31 PNaClABIErrorReporter *ErrorReporter = new PNaClABIErrorReporter(); |
| 32 PM.add(createPNaClABIVerifyModulePass(ErrorReporter, false)); |
| 33 PM.add(createPNaClABIVerifyFunctionsPass(ErrorReporter)); |
| 34 |
| 35 // The naming of NaCl's entry point causes a conflict when linking into |
| 36 // native executables. This pass renames the entry function to resolve it. |
| 37 // The pass must be invoked after the PNaCl ABI verifier but otherwise could |
| 38 // be invoked at any point. To avoid confusion, we rename the function |
| 39 // immediately after the verifier and have all the subsequent passes refer to |
| 40 // the new name. |
| 41 PM.add(createRenameEntryPointPass()); |
| 42 |
| 43 // Sandboxed code cannot access memory allocated on the native stack. This |
| 44 // pass creates an untrusted stack inside the sandbox's memory region, with |
| 45 // the stack pointer stored in a global variable. With some modifications, |
| 46 // the pass could be invoked after SFI, allowing unsandboxed updates of the |
| 47 // stack pointer, but that would increase the size of the compiler-side TCB. |
| 48 PM.add(createExpandAllocasPass()); |
| 49 |
| 50 // The data segment of the sandbox lies outside its memory region. This pass |
| 51 // generates a template, which the MinSFI runtime copies into the sandbox |
| 52 // during initialization. All globals defined before this pass therefore |
| 53 // remain addressable by the sandboxed code. |
| 54 PM.add(createAllocateDataSegmentPass()); |
| 55 |
| 56 // Next, we apply SFI sandboxing to pointer-type operands of all memory |
| 57 // access instructions. The pass guarantees that the sandboxed code cannot |
| 58 // read or write beyond the scope of the memory region allocated to it. |
| 59 // All passes running before this one do not have to be trusted in this |
| 60 // respect. Passes running later must not break the guarantee. |
| 61 PM.add(createSandboxMemoryAccessesPass()); |
| 62 |
| 63 // Lastly, we apply CFI sandboxing on indirect calls. The pass creates |
| 64 // tables of address-taken functions and replaces function pointers with |
| 65 // indices into the tables. This pass is invoked after SFI because it is |
| 66 // crucial that the tables cannot be modified by the sandboxed code. |
| 67 PM.add(createSandboxIndirectCallsPass()); |
| 68 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 939073008:
Rebased PNaCl localmods in LLVM to 223109 (Closed)
