Hi everyone,
I am researching CFI and the implementation of CFI in Clang. In doing so I found out that CFI can be bypassed in situations where CFI-related values stored in registers, are spilled onto the stack. An attacker could alter these values, which should be immutable, and thereby bypass CFI checks. The following article writes in detail about this:
There is also a proof of concept for this attack provided here:
As I have understood, this situation arises because the compiler attempts to maximize the use of registers. Therefore, in certain situations, register-values spills onto the stack in order to free up registers that are necessary to perform some calculation. The values are later copied back onto their registers. In particular, this can occur when a function (the caller) calls another function (the callee). If the callee must use some registers that the caller has already occupied, those register-values are saved onto the stack and the callee can then utilize the registers. Before returning to the caller, the callee will restore the registers using the values that were saved to the stack.
The authors of the paper suggest a patch for Clang. In their patch, the CFI-related values that are spilled are not copied back, instead the values are recalculated before they are returned to their register. This seems like a decent solution to me, however I can’t find if their patch was ever implemented into Clang or not.
My question is: Did Clang ever get patched to address this issue? If not, how come? Is it because the patch provided by the authors of the article is detrimental to performance, or is there a different reason?
Thanks,
Viktor