First, my apologies if I have incorrectly used any of these lists.
I'm sending this email in order to get some help on where in the
codebases for LLVM and/or Clang I should be looking in order to
accomplish the following:
- create 4 additional memory segment
- - 2 to be used as "additional stacks"
- - 2 to be used as "additional heaps"
- modify the stack frame and stack pointer registers (in order to make
use of the 2 "additional stacks")
- modify segment descriptors, as needed, to support reads/writes to the
- modify which stack variables go to which of the three stacks
- - same for heaps
Hi Brent, LLVM supports segmented stacks, I suggest you do a case
insensitive grep for segmented.stack in the source code (the . is
to match any character).
Are the segmented stacks actually on separate memory segments? My intended purpose for placing different datatypes on separate stacks is such that memory accesses to one datatype won’t be allowed to overflow to another datatype.
If they aren’t, in fact, on separate memory segments, are you aware of a way to place a non-readable/-writable segment in between two other stack segments?
Are the segmented stacks actually on separate memory segments? My intended
purpose for placing different datatypes on separate stacks is such that memory
accesses to one datatype won't be allowed to overflow to another datatype.
If they aren't, in fact, on separate memory segments, are you aware of a way to
place a non-readable/-writable segment in between two other stack segments?
it is essentially the same thing as GCC's split stacks:
It doesn’t appear to be what I’m looking for as there is copying of the old stack to the new stack. Additionally, according to the LLVM docs on segmented stacks (http://llvm.org/releases/3.0/docs/SegmentedStacks.html) the stacklings are allocated memory from the heap. Since this places them all on the same memory segment, a read/write from one stackling could technically overflow to read/write another stackling … unless there is something I’ve overlooked or is undocumented.
What I’ve been looking at currently is a suggestion made to me last night to either
(1) modify the allocated space for local variables in LLVM so that there are multiples of them
(2) treat all local variables as globals and specify explicitly where each should be written
The primary goal I’m trying to achieve is such that a read/write to one or more variables on one stack cannot overflow to those on another stack due to either a protection page in between and/or implicit protections from being on different memory segments.
You're correct. The segmented stack model is intended for performance, not security. Its goal is to allow lightweight threads to be very cheaply allocated and destroyed.
For your model, you would most likely want to use different address spaces for the different memory types. Currently, clang does not allow you to define the address space of variables with automatic storage ('stack variables') and I'm not sure if this is a limitation of LLVM's alloca instruction or of the front end.
Thank you for confirming that for me.
What about the plausibility of splitting the single alloca space (the one stack) into three sections, with a “guard page” between each of the sections? Does LLVM provide the capabilities required to do this or something similar?
I simply need “something” to ensure that if X is on stack1 and Y is on stack2 that an access to X cannot access Y.