Contributed by rueda on from the d(e)ropping-the-gadgets dept.
Todd Mortimer (mortimer@) has committed "RETGUARD" for clang (for amd64).
This is a new anti-ROP security mechanism, which uses random per-function cookies to protect return addresses on the stack.
The full commit message reads:
CVSROOT: /cvs Module name: src Changes by: firstname.lastname@example.org 2018/06/05 18:14:29 Modified files: distrib/amd64/ramdiskA: Makefile.inc gnu/llvm/include/llvm: InitializePasses.h gnu/llvm/include/llvm/CodeGen: MachineFrameInfo.h Passes.h TargetFrameLowering.h gnu/llvm/lib/CodeGen: CMakeLists.txt PrologEpilogInserter.cpp TargetPassConfig.cpp gnu/llvm/lib/Target/X86: X86FrameLowering.cpp X86FrameLowering.h X86InstrCompiler.td X86MCInstLower.cpp gnu/llvm/tools/clang/include/clang/Driver: CC1Options.td gnu/llvm/tools/clang/include/clang/Frontend: CodeGenOptions.def gnu/llvm/tools/clang/lib/CodeGen: CGCall.cpp gnu/llvm/tools/clang/lib/Driver/ToolChains: Clang.cpp gnu/llvm/tools/clang/lib/Frontend: CompilerInvocation.cpp gnu/usr.bin/clang: Makefile.inc gnu/usr.bin/clang/libLLVMCodeGen: Makefile share/mk : bsd.lib.mk Added files: gnu/llvm/lib/CodeGen: ReturnProtectorPass.cpp Log message: Add RETGUARD to clang for amd64. This security mechanism uses per-function random cookies to protect access to function return instructions, with the effect that the integrity of the return address is protected, and function return instructions are harder to use in ROP gadgets. On function entry the return address is combined with a per-function random cookie and stored in the stack frame. The integrity of this value is verified before function return, and if this check fails, the program aborts. In this way RETGUARD is an improved stack protector, since the cookies are per-function. The verification routine is constructed such that the binary space immediately before each ret instruction is padded with int03 instructions, which makes these return instructions difficult to use in ROP gadgets. In the kernel, this has the effect of removing approximately 50% of total ROP gadgets, and 15% of unique ROP gadgets compared to the 6.3 release kernel. Function epilogues are essentially gadget free, leaving only the polymorphic gadgets that result from jumping into the instruction stream partway through other instructions. Work to remove these gadgets will continue through other mechanisms. Remaining work includes adding this mechanism to assembly routines, which must be done by hand. Many thanks to all those who helped test and provide feedback, especially deaadt, tb, espie and naddy. ok deraadt@
The FAQ page on following -current has been updated accordingly.