Initial forward-edge CFI implementation #3693
Conversation
github-actions
bot
added
cranelift
github-actions
bot
added
the
wasmtime:api
Subscribe to Label Actioncc @peterhuene
This issue or pull request has been labeled: "cranelift", "cranelift:area:aarch64", "cranelift:area:machinst", "cranelift:area:x64", "cranelift:meta", "wasmtime:api"
Thus the following users have been cc'd because of the following labels:
To subscribe or unsubscribe from this label, edit the |
akirilov-arm
changed the title
Subscribe to Label Actioncc @fitzgen
This issue or pull request has been labeled: "fuzzing"
Thus the following users have been cc'd because of the following labels:
To subscribe or unsubscribe from this label, edit the |
|
Note that the |
akirilov-arm
force-pushed
the
bti
branch
2 times, most recently
from
f5f2375 to
43c50c2
Compare
akirilov-arm
force-pushed
the
bti
branch
2 times, most recently
from
0ae4b62 to
b45cc6d
Compare
akirilov-arm
force-pushed
the
bti
branch
3 times, most recently
from
cfe59d0 to
0621025
Compare
|
@alexcrichton I added you as reviewer for the Wasmtime bits. |
There was a problem hiding this comment.
Seems reasonable enough to me! Sorry you've probably answered these questions before but I wanted to double-check something as well:
- If a module is compiled with bti support and loaded into an engine that has bti support disabled, that's fine right? (since everything is a nop)
- If a module is not compiled with bti support, but is loaded into an engine with bti support, that's bad right? (in that none of the branches are protected but the page permissions say that all branches need protection?)
Otherwise though I think this can cut down on the amount of is_branch_proetection_enabled calls and passing-of-the-bool by just making it a method on Engine to avoid some extra changes here.
|
@alexcrichton I wanted to finish with the pointer authentication PR before coming back to this one:
Yes, that is correct; we just have to make sure that we do not request the
Yes, assuming that the engine applies The current implementation supports the full flexibility the BTI extension enables, so we have to decouple the following:
|
|
We should add a We don't yet support |
|
Ah sorry ok I see why this can't be an |
Give the user the option to start all basic blocks that are targets of indirect branches with the BTI instruction introduced by the Branch Target Identification extension to the Arm instruction set architecture. Copyright (c) 2022, Arm Limited.
akirilov-arm
force-pushed
the
bti
branch
2 times, most recently
from
2595dec to
d7bfc26
Compare
This involves "parsing" twice but this is parsing just the header of an ELF file so it's not a very intensive operation and should be ok to do twice.
|
@cfallin I think that I have resolved all of @alexcrichton's comments that are related to Wasmtime, so do you have any feedback on the Cranelift side of things? |
There was a problem hiding this comment.
Thanks @akirilov-arm and sorry for the delay in giving the Cranelift parts a review!
Overall I think this is quite reasonable. I do have one suggestion for a simplification in the way that the locations of indirect-target blocks are determined (and I apologize for being extra-picky with this bit of code but the CFG lowering is a very critical and historically difficult-to-get-right piece of the backend!). With that modified, or at least with the suggestion explored, then LGTM.
Copyright (c) 2022, Arm Limited.
Copyright (c) 2022, Arm Limited.
There was a problem hiding this comment.
LGTM for the Cranelift bits -- thanks a bunch for the patience!
cc @alexcrichton to double-check the Wasmtime-related changes?
This pull request is meant to illustrate the RFC proposal to improve control flow integrity for compiled WebAssembly code by using the Branch Target Identification (BTI) extension to the Arm instruction set architecture (bytecodealliance/rfcs#17), so it is not ready to be merged yet.
P.S. The RFC proposal has now been merged, and the changes in this PR have been updated the reflect the final version of the proposal, so they are now ready.