Quarkslab's blog - Clanghttp://blog.quarkslab.com/2026-04-16T00:00:00+02:00Obfuscation vs the Optimizer: An LLVM Middle-End Arms Race2026-04-16T00:00:00+02:002026-04-16T00:00:00+02:00Robert Yatestag:blog.quarkslab.com,2026-04-16:/obfuscation-vs-the-optimizer-an-llvm-middle-end-arms-race.html<p>How one Commit Broke Obfuscation: A blog post exploring the role of compilers and optimizations in the field of obfuscation and de-obfuscation.</p><h2 id="introduction">Introduction</h2>
<p>Obfuscation is security through obscurity; its purpose is to transform a piece of code into a much more complex representation, whilst preserving the original semantics of the code. A compiler's job is to transform source code into binary code and produce the simplest and most optimized representation it can for a given architecture. These are contrary goals, yet this contradiction is where obfuscators find their greatest leverage.</p>
<p>In this blog post, we will explore the relationship between compilers, obfuscation, and de-obfuscation. We will first learn about LLVM, but I will frame the information so it's a little deeper and more relevant to this topic. Finally, we will walk through an example of obfuscation and watch the tug-of-war between our code and the optimization passes and see how a single commit in LLVM breaks our obfuscation. Hopefully, by the end, we will have a better understanding of how this tug-of-war is, in fact, more of a yin-yang.</p>
<h2 id="meet-the-mystery-function">Meet the mystery function</h2>
<p>The star of the blog will be the following function. We will watch how the compiler removes the obfuscation, and we will try to fight back.</p>
<div class="highlight"><pre><span></span><code><span class="cp">#include</span><span class="w"> </span><span class="cpf"><stdint.h></span>
<span class="kt">uint8_t</span><span class="w"> </span><span class="nf">mystery</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="p">(</span><span class="kt">uint8_t</span><span class="p">)(</span>
<span class="w"> </span><span class="p">((((</span><span class="mi">40u</span><span class="w"> </span><span class="o">^</span><span class="w"> </span><span class="mh">0xFFu</span><span class="p">)</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="mh">0x9Bu</span><span class="p">)</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="mi">65u</span><span class="p">)</span><span class="w"> </span><span class="o">+</span>
<span class="w"> </span><span class="p">(((</span><span class="mi">0u</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="p">(</span><span class="mi">40u</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="mi">110u</span><span class="p">))</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="mi">1u</span><span class="p">)</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="mi">81u</span><span class="p">)</span><span class="w"> </span><span class="o">+</span>
<span class="w"> </span><span class="p">(</span><span class="mi">40u</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="mi">110u</span><span class="p">)</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="mi">65u</span><span class="p">)</span><span class="w"> </span><span class="o">^</span>
<span class="w"> </span><span class="mh">0xFFu</span>
<span class="w"> </span><span class="p">);</span>
<span class="p">}</span>
</code></pre></div>
<p>Before we watch LLVM tear this down, here’s the minimal background you need.</p>
<h2 id="a-quick-llvm-primer">A quick LLVM primer</h2>
<p>LLVM is a framework for building compilers. A collection of reusable components helps the author build up their compiler stages.</p>
<p>A compiler is often described in 3 stages: Front-End / Middle-End / Back-End. The so-called middle-end is the stage of compilation where transformations and analyses take place to support optimizations. </p>
<p>Before that, it is the front-end's responsibility to parse the natural source code language into an abstract syntax tree <a href="https://en.wikipedia.org/wiki/Abstract_syntax_tree">AST</a>. It is then lowered into an intermediate representation <a href="https://en.wikipedia.org/wiki/Intermediate_representation">IR</a>. In the reverse engineering world, it is sometimes referred to as an intermediate language, but both IL and IR are used.</p>
<p>The IR is an important state because its aim is to represent the semantics of the source language in a way that enables code to reason about its behaviour and perform optimizations. IR is target independent and therefore, in theory, <a href="https://llvm.org/docs/LangRef.html">generic</a> and simple.</p>
<p>The IR is eventually passed to the back end; it's here that further lowering occurs into more target-selected architectures, and eventual instructions are selected to generate binary code, such as X86. The beauty in this architecture is that you can have many input languages and many output architectures. Still, the middle-end works to optimize the same IR using a large collection of complex analysis and transformation passes that don't break the semantics of the code, helping the back-end produce fast and/or small code.</p>
<h3 id="try-it-yourself">Try it yourself</h3>
<p>In this blog, we will be working with IR snippets, and knowing how to generate and work with these files would be useful.</p>
<p>We can generate IR from C or C++ code using clang: </p>
<div class="highlight"><pre><span></span><code>clang<span class="w"> </span>hello.c<span class="w"> </span>-S<span class="w"> </span>-emit-llvm<span class="w"> </span>-o<span class="w"> </span>hello.ll
</code></pre></div>
<p>or, to disable all optimizations: </p>
<div class="highlight"><pre><span></span><code>clang<span class="w"> </span>-O0<span class="w"> </span>-Xclang<span class="w"> </span>-disable-O0-optnone<span class="w"> </span>hello.c<span class="w"> </span>-S<span class="w"> </span>-emit-llvm<span class="w"> </span>-o<span class="w"> </span>hello.ll
</code></pre></div>
<p>To run optimization pipelines or specific passes: </p>
<div class="highlight"><pre><span></span><code>opt<span class="w"> </span>hello.ll<span class="w"> </span>-O2<span class="w"> </span>-S
opt<span class="w"> </span>hello.ll<span class="w"> </span>-passes<span class="o">=</span>sroa,mem2reg<span class="w"> </span>-S
</code></pre></div>
<p><em>-O0 -O1 -O2 -O3 are optimization levels, and these options trigger a ready-to-use arrangement of passes in a pipeline.</em></p>
<p>To generate object files: </p>
<div class="highlight"><pre><span></span><code>llc<span class="w"> </span>-filetype<span class="o">=</span>obj<span class="w"> </span>hello.ll<span class="w"> </span>-o<span class="w"> </span>hello.o
</code></pre></div>
<p>You can also use these tools with <a href="https://godbolt.org/">Compiler Explorer</a></p>
<h3 id="why-the-middle-end-matters-for-both-sides">Why the middle-end matters for both sides</h3>
<p>LLVM’s middle-end is the product of decades of compiler research made concrete: Theory turned into analyses, algorithms into passes, and ideas refined through real implementation work. That makes it a rich source of knowledge for both reverse engineers and obfuscator authors. If we can produce code that remains difficult for these passes to simplify or reason about, that suggests the obfuscation is doing its job. On the other hand, if we can bring similar algorithms to RE tooling, then we have the beginnings of a capable de-obfuscator. The same machinery can help either hide intent or recover it.</p>
<p>As you saw earlier, we can run passes on the LLVM IR from the command line. LLVM has several passes, although that's a bit of an understatement. The LLVM pass <a href="https://llvm.org/docs/Passes.html">list</a> is split into analysis, transformation, and utility passes. They aim to eliminate unnecessary computation through methods such as dead code elimination, redundancy removal, control-flow simplification, memory optimizations, and much more.</p>
<p>On the flip side we could also write our own passes to introduce the exact opposite.</p>
<h3 id="the-optimizers-toolkit">The optimizer's toolkit</h3>
<p>In the context of reverse engineering, obfuscation, and de-obfuscation, I would categorise them by their effect on simplification. These categories help understand how compiler optimizations reduce code complexity, the same mechanisms that make optimization/de-obfuscation possible. Here is an extremely brief look at a few passes and my own groupings. (Inter-procedural analysis is purposely left out)</p>
<ol>
<li>
<p>Dead Code/Store Elimination -> <a href="https://llvm.org/docs/Passes.html#dse-dead-store-elimination">DSEPass</a> <a href="https://llvm.org/docs/Passes.html#dce-dead-code-elimination">DCEPass</a> <a href="https://github.com/llvm/llvm-project/blob/main/llvm/lib/Transforms/Scalar/BDCE.cpp">BDCEPass</a>
Removes code that does not affect program output. Obfuscators often insert junk code, opaque predicates, or unreachable paths. DCE passes eliminate these.</p>
</li>
<li>
<p>Constant Propagation & Folding -> <a href="https://llvm.org/docs/Passes.html#sccp-sparse-conditional-constant-propagation">SCCPPass</a> <a href="https://github.com/llvm/llvm-project/blob/main/llvm/lib/Transforms/Scalar/CorrelatedValuePropagation.cpp">CorrelatedValuePropagationPass</a>
Evaluates expressions at compile time and propagates known values. Defeats obfuscation that relies on dynamic computation of constants (opaque predicates, encoded values).</p>
</li>
<li>
<p>Control Flow Simplification -> <a href="https://llvm.org/docs/Passes.html#simplifycfg-simplify-the-cfg">SimplifyCFGPass</a> <a href="https://llvm.org/docs/Passes.html#jump-threading-jump-threading">JumpThreadingPass</a>
Simplifies the control flow graph by merging blocks, removing redundant branches, and threading jumps. Critical for defeating control flow flattening and bogus control flow.</p>
</li>
<li>
<p>Redundancy Elimination -> <a href="https://llvm.org/docs/Passes.html#gvn-global-value-numbering">GVNPass</a> <a href="https://github.com/llvm/llvm-project/blob/main/llvm/lib/Transforms/Scalar/EarlyCSE.cpp">EarlyCSEPass</a>
Removes redundant computations. Removes duplicate expressions or equivalent computations inserted by obfuscators across different code paths.</p>
</li>
<li>
<p>Instruction Simplification & Combining -> <a href="https://llvm.org/docs/Passes.html#instcombine-combine-redundant-instructions">InstCombinePass</a> <a href="https://llvm.org/docs/Passes.html#reassociate-reassociate-expressions">ReassociatePass</a>
Simplifies and canonicalises instructions. Defeats arithmetic obfuscation (MBA expressions, substitution patterns, identity operations). A bit of a swiss army knife pass, I highly recommended looking through the code of this one.</p>
</li>
<li>
<p>Memory Optimization -> <a href="https://llvm.org/docs/Passes.html#sroa-scalar-replacement-of-aggregates">SROAPass</a> <a href="https://llvm.org/docs/Passes.html#memcpyopt-memcpy-optimization">MemCpyOptPass</a>
Optimizes memory access patterns. Simplifies obfuscation that on purpose routes values through stack and memory rather than direct access in registers.</p>
</li>
</ol>
<h2 id="the-arms-race_1">The arms race</h2>
<p>Now that we know some of the tools, let's watch some of them in action.</p>
<p>Since the middle-end is designed to be generic, it's a great place to optimize code; we could, in fact, de-optimize it, or in more familiar terms, we could obfuscate it. Our obfuscation should be resistant to LLVM's optimization pipelines at a bare minimum. Let's take a piece of already obfuscated code that could have been generated by a beginners pass and see how we fare against the optimization pipeline.</p>
<h3 id="round-1-all-constants-no-contest">Round 1 — all constants, no contest</h3>
<p>Back to our mystery function, let's work with it in LLVM IR form:</p>
<div class="highlight"><pre><span></span><code><span class="k">define</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="vg">@mystery</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nv">%notx</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">xor</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="m">40</span><span class="p">,</span><span class="w"> </span><span class="m">-1</span>
<span class="w"> </span><span class="nv">%a</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%notx</span><span class="p">,</span><span class="w"> </span><span class="m">-101</span>
<span class="w"> </span><span class="nv">%b</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%a</span><span class="p">,</span><span class="w"> </span><span class="m">65</span>
<span class="w"> </span><span class="nv">%c</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="m">40</span><span class="p">,</span><span class="w"> </span><span class="m">110</span>
<span class="w"> </span><span class="nv">%neg</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">sub</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="m">0</span><span class="p">,</span><span class="w"> </span><span class="nv">%c</span>
<span class="w"> </span><span class="nv">%comp</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">sub</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%neg</span><span class="p">,</span><span class="w"> </span><span class="m">1</span>
<span class="w"> </span><span class="nv">%d</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%comp</span><span class="p">,</span><span class="w"> </span><span class="m">81</span>
<span class="w"> </span><span class="nv">%sum1</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%b</span><span class="p">,</span><span class="w"> </span><span class="nv">%d</span>
<span class="w"> </span><span class="nv">%sum2</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%sum1</span><span class="p">,</span><span class="w"> </span><span class="nv">%c</span>
<span class="w"> </span><span class="nv">%sum3</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%sum2</span><span class="p">,</span><span class="w"> </span><span class="m">-65</span>
<span class="w"> </span><span class="nv">%r</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">xor</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%sum3</span><span class="p">,</span><span class="w"> </span><span class="m">-1</span>
<span class="w"> </span><span class="k">ret</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%r</span>
<span class="p">}</span>
</code></pre></div>
<p>The syntax of LLVM IR is quite assembly like. Here is a more 1:1 C version to help with understanding how to read the IR.</p>
<div class="highlight"><pre><span></span><code><span class="cp">#include</span><span class="w"> </span><span class="cpf"><stdint.h></span>
<span class="kt">uint8_t</span><span class="w"> </span><span class="nf">mystery</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kt">uint8_t</span><span class="w"> </span><span class="n">notx</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">uint8_t</span><span class="p">)(</span><span class="mi">40u</span><span class="w"> </span><span class="o">^</span><span class="w"> </span><span class="mh">0xFFu</span><span class="p">);</span>
<span class="w"> </span><span class="kt">uint8_t</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">uint8_t</span><span class="p">)(</span><span class="n">notx</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="p">(</span><span class="kt">uint8_t</span><span class="p">)</span><span class="mi">-101</span><span class="p">);</span>
<span class="w"> </span><span class="kt">uint8_t</span><span class="w"> </span><span class="n">b</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">uint8_t</span><span class="p">)(</span><span class="n">a</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="mi">65u</span><span class="p">);</span>
<span class="w"> </span><span class="kt">uint8_t</span><span class="w"> </span><span class="n">c</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">uint8_t</span><span class="p">)(</span><span class="mi">40u</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="mi">110u</span><span class="p">);</span>
<span class="w"> </span><span class="kt">uint8_t</span><span class="w"> </span><span class="n">neg</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">uint8_t</span><span class="p">)(</span><span class="mi">0u</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">c</span><span class="p">);</span>
<span class="w"> </span><span class="kt">uint8_t</span><span class="w"> </span><span class="n">comp</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">uint8_t</span><span class="p">)(</span><span class="n">neg</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="mi">1u</span><span class="p">);</span>
<span class="w"> </span><span class="kt">uint8_t</span><span class="w"> </span><span class="n">d</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">uint8_t</span><span class="p">)(</span><span class="n">comp</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="mi">81u</span><span class="p">);</span>
<span class="w"> </span><span class="kt">uint8_t</span><span class="w"> </span><span class="n">sum1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">uint8_t</span><span class="p">)(</span><span class="n">b</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">d</span><span class="p">);</span>
<span class="w"> </span><span class="kt">uint8_t</span><span class="w"> </span><span class="n">sum2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">uint8_t</span><span class="p">)(</span><span class="n">sum1</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">c</span><span class="p">);</span>
<span class="w"> </span><span class="kt">uint8_t</span><span class="w"> </span><span class="n">sum3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">uint8_t</span><span class="p">)(</span><span class="n">sum2</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="p">(</span><span class="kt">uint8_t</span><span class="p">)</span><span class="mi">-65</span><span class="p">);</span>
<span class="w"> </span><span class="kt">uint8_t</span><span class="w"> </span><span class="n">r</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">uint8_t</span><span class="p">)(</span><span class="n">sum3</span><span class="w"> </span><span class="o">^</span><span class="w"> </span><span class="mh">0xFFu</span><span class="p">);</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">r</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div>
<p>The code appears to be a function that returns an 8-bit integer. We need to understand the contents of this function; it's very opaque and difficult to reason about what the result should be, and it's successfully obfuscated.</p>
<p>Let's see what happens when we run an O2 optimization pipeline on this. We shall use LLVM 18 and its tool <code>opt</code>, which allows us to run pipelines and passes.</p>
<p><code>opt sample01.ll -O2 -S</code></p>
<div class="highlight"><pre><span></span><code><span class="c">; ModuleID = 'sample01.ll'</span>
<span class="k">source_filename</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="s">"sample01.ll"</span>
<span class="c">; Function Attrs: mustprogress nofree norecurse nosync nounwind willreturn memory(none)</span>
<span class="k">define</span><span class="w"> </span><span class="k">noundef</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="vg">@mystery</span><span class="p">()</span><span class="w"> </span><span class="k">local_unnamed_addr</span><span class="w"> </span><span class="vg">#0</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">ret</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="m">0</span>
<span class="p">}</span>
<span class="k">attributes</span><span class="w"> </span><span class="vg">#0</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="k">mustprogress</span><span class="w"> </span><span class="k">nofree</span><span class="w"> </span><span class="k">norecurse</span><span class="w"> </span><span class="k">nosync</span><span class="w"> </span><span class="k">nounwind</span><span class="w"> </span><span class="k">willreturn</span><span class="w"> </span><span class="err">memory</span><span class="p">(</span><span class="k">none</span><span class="p">)</span><span class="w"> </span><span class="p">}</span>
</code></pre></div>
<h3 id="round-2-why-it-collapsed-instantly">Round 2 — why it collapsed instantly</h3>
<p>The code was complex, but the optimization process quickly discovered the result, revealing the mystery. The function returns 0. The function is simplified because the code can be seen as a constant expression, and the optimization pipeline fully folded it.</p>
<p>We don't even need to run an entire O2 pipeline on it because the pass responsible for this is only EarlyCSEPass. We can achieve the same result with: <code>opt sample01.ll -passes=early-cse -S</code></p>
<p>If you wish to follow along, then you can use <a href="https://godbolt.org/">compiler explorer</a> On the left side, choose <code>LLVM IR</code> and on the right side, choose <code>opt 18.1.0</code> and add the compiler options <code>-O2</code>. Also, click <code>Add New</code> and <code>Opt Pipeline</code></p>
<p>The pass instcombine could also achieve this, but "Early Common Subexpression Elimination" was run first and easily saw through the code, evaluating it as a constant expression. The pass knows that the first instruction <code>%notx = xor i8 40, -1</code> is the same as a <code>not</code>, so <code>%notx</code> could be replaced with <code>%notx = 0xD7</code>. Therefore <code>%a = or i8 %notx, -101</code> is <code>%a = 0xDF</code>, and so on so forth until the whole thing folds down to our <code>0</code>.</p>
<p>Modern RE tools will also easily see through this; they lift assembly code into their own IR in order to optimize and reason about it for the final decompiler layer.</p>
<p>For example, take this Binary Ninja snippet. It shows data flow tracking in its disassembly view within the <code>{}</code>, and the folding happens line by line:</p>
<div class="highlight"><pre><span></span><code><span class="err">0</span><span class="nf">x00400000</span><span class="w"> </span><span class="no">b0ff</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">al</span><span class="p">,</span><span class="w"> </span><span class="mi">0xff</span>
<span class="err">0</span><span class="nf">x00400002</span><span class="w"> </span><span class="mi">3428</span><span class="w"> </span><span class="no">xor</span><span class="w"> </span><span class="no">al</span><span class="p">,</span><span class="w"> </span><span class="mi">0x28</span><span class="w"> </span><span class="p">{</span><span class="mi">0xd7</span><span class="p">}</span>
<span class="err">0</span><span class="nf">x00400004</span><span class="w"> </span><span class="mi">0</span><span class="no">c9b</span><span class="w"> </span><span class="no">or</span><span class="w"> </span><span class="no">al</span><span class="p">,</span><span class="w"> </span><span class="mi">0x9b</span><span class="w"> </span><span class="p">{</span><span class="mi">0xdf</span><span class="p">}</span>
<span class="err">0</span><span class="nf">x00400006</span><span class="w"> </span><span class="mi">2441</span><span class="w"> </span><span class="no">and</span><span class="w"> </span><span class="no">al</span><span class="p">,</span><span class="w"> </span><span class="mi">0x41</span>
<span class="err">0</span><span class="nf">x00400008</span><span class="w"> </span><span class="no">b16e</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">cl</span><span class="p">,</span><span class="w"> </span><span class="mi">0x6e</span>
<span class="err">0</span><span class="nf">x0040000a</span><span class="w"> </span><span class="mi">80</span><span class="no">e128</span><span class="w"> </span><span class="no">and</span><span class="w"> </span><span class="no">cl</span><span class="p">,</span><span class="w"> </span><span class="mi">0x28</span>
<span class="err">0</span><span class="nf">x0040000d</span><span class="w"> </span><span class="mi">31</span><span class="no">d2</span><span class="w"> </span><span class="no">xor</span><span class="w"> </span><span class="no">edx</span><span class="p">,</span><span class="w"> </span><span class="no">edx</span><span class="w"> </span><span class="p">{</span><span class="mi">0x0</span><span class="p">}</span>
<span class="err">0</span><span class="nf">x0040000f</span><span class="w"> </span><span class="mi">28</span><span class="no">ca</span><span class="w"> </span><span class="no">sub</span><span class="w"> </span><span class="no">dl</span><span class="p">,</span><span class="w"> </span><span class="no">cl</span><span class="w"> </span><span class="p">{</span><span class="mi">0xd8</span><span class="p">}</span>
<span class="err">0</span><span class="nf">x00400011</span><span class="w"> </span><span class="mi">80</span><span class="no">ea01</span><span class="w"> </span><span class="no">sub</span><span class="w"> </span><span class="no">dl</span><span class="p">,</span><span class="w"> </span><span class="mi">0x1</span><span class="w"> </span><span class="p">{</span><span class="mi">0xd7</span><span class="p">}</span>
<span class="err">0</span><span class="nf">x00400014</span><span class="w"> </span><span class="mi">80</span><span class="no">ca51</span><span class="w"> </span><span class="no">or</span><span class="w"> </span><span class="no">dl</span><span class="p">,</span><span class="w"> </span><span class="mi">0x51</span><span class="w"> </span><span class="p">{</span><span class="mi">0xd7</span><span class="p">}</span>
<span class="err">0</span><span class="nf">x00400017</span><span class="w"> </span><span class="mi">00</span><span class="no">d0</span><span class="w"> </span><span class="no">add</span><span class="w"> </span><span class="no">al</span><span class="p">,</span><span class="w"> </span><span class="no">dl</span><span class="w"> </span><span class="p">{</span><span class="mi">0x18</span><span class="p">}</span>
<span class="err">0</span><span class="nf">x00400019</span><span class="w"> </span><span class="mi">00</span><span class="no">c8</span><span class="w"> </span><span class="no">add</span><span class="w"> </span><span class="no">al</span><span class="p">,</span><span class="w"> </span><span class="no">cl</span><span class="w"> </span><span class="p">{</span><span class="mi">0x40</span><span class="p">}</span>
<span class="err">0</span><span class="nf">x0040001b</span><span class="w"> </span><span class="mi">04</span><span class="no">bf</span><span class="w"> </span><span class="no">add</span><span class="w"> </span><span class="no">al</span><span class="p">,</span><span class="w"> </span><span class="mi">0xbf</span><span class="w"> </span><span class="p">{</span><span class="mi">0xff</span><span class="p">}</span>
<span class="err">0</span><span class="nf">x0040001d</span><span class="w"> </span><span class="mi">34</span><span class="no">ff</span><span class="w"> </span><span class="no">xor</span><span class="w"> </span><span class="no">al</span><span class="p">,</span><span class="w"> </span><span class="mi">0xff</span><span class="w"> </span><span class="p">{</span><span class="mi">0x0</span><span class="p">}</span><span class="w"> </span><span class="err"><</span><span class="p">-----</span>
<span class="err">0</span><span class="nf">x0040001f</span><span class="w"> </span><span class="no">c3</span><span class="w"> </span><span class="no">retn</span><span class="w"> </span><span class="p">{</span><span class="no">__return_addr</span><span class="p">}</span>
</code></pre></div>
<p>1) As an author of obfuscation, we have learnt that a linear set of simple instructions that use constant values can easily be broken.
2) As a reverse engineer trying to de-obfuscate code, we have learnt that proving that something is constant is very important. When something is constant, it will have a cascading impact on analysis.</p>
<p>If you are a C++ coder, you might remember being taught that you should be setting variables and class members as <code>const</code> wherever possible. Marking things <code>const</code> informs the compiler what cannot change, thereby enabling stronger optimizations.
The same principle applies to RE tools, where asserting immutability improves analysis and de-obfuscation.</p>
<h3 id="round-3-hiding-behind-a-variable">Round 3 — hiding behind a variable</h3>
<p>Let's improve upon our example to make it stronger. We need to somehow prevent the compiler from knowing something is constant. In our example, we have the value <code>40</code> twice; we could replace this with an instance an unknown value.</p>
<p>Our first instinct might be:</p>
<div class="highlight"><pre><span></span><code><span class="k">define</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="vg">@mystery</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nv">%unknown</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">call</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="k">asm</span><span class="w"> </span><span class="s">""</span><span class="p">,</span><span class="w"> </span><span class="s">"=r"</span><span class="p">()</span>
<span class="w"> </span><span class="nv">%notx</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">xor</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%unknown</span><span class="p">,</span><span class="w"> </span><span class="m">-1</span>
<span class="w"> </span><span class="nv">%a</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%notx</span><span class="p">,</span><span class="w"> </span><span class="m">-101</span>
<span class="w"> </span><span class="nv">%b</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%a</span><span class="p">,</span><span class="w"> </span><span class="m">65</span>
<span class="w"> </span><span class="nv">%c</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%unknown</span><span class="p">,</span><span class="w"> </span><span class="m">110</span>
<span class="w"> </span><span class="nv">%neg</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">sub</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="m">0</span><span class="p">,</span><span class="w"> </span><span class="nv">%c</span>
<span class="w"> </span><span class="nv">%comp</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">sub</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%neg</span><span class="p">,</span><span class="w"> </span><span class="m">1</span>
<span class="w"> </span><span class="nv">%d</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%comp</span><span class="p">,</span><span class="w"> </span><span class="m">81</span>
<span class="w"> </span><span class="nv">%sum1</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%b</span><span class="p">,</span><span class="w"> </span><span class="nv">%d</span>
<span class="w"> </span><span class="nv">%sum2</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%sum1</span><span class="p">,</span><span class="w"> </span><span class="nv">%c</span>
<span class="w"> </span><span class="nv">%sum3</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%sum2</span><span class="p">,</span><span class="w"> </span><span class="m">-65</span>
<span class="w"> </span><span class="nv">%r</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">xor</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%sum3</span><span class="p">,</span><span class="w"> </span><span class="m">-1</span>
<span class="w"> </span><span class="k">ret</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%r</span>
<span class="p">}</span>
</code></pre></div>
<p>The new version of the code now uses a random register and breaks the optimizer, and also our reversing tools. The random use of a register does stick out, since it appears out of nowhere and looks like uninitialised use; we can do better. </p>
<p>Such as interweaving our expression into the existing code, for instance using an existing variable in the program. Since this contrived example doesn't have one, I will add a parameter to the function and use that instead.</p>
<div class="highlight"><pre><span></span><code><span class="k">define</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="vg">@mystery</span><span class="p">(</span><span class="kt">i8</span><span class="w"> </span><span class="nv">%arg1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nv">%notx</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">xor</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%arg1</span><span class="p">,</span><span class="w"> </span><span class="m">-1</span>
<span class="w"> </span><span class="nv">%a</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%notx</span><span class="p">,</span><span class="w"> </span><span class="m">-101</span>
<span class="w"> </span><span class="nv">%b</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%a</span><span class="p">,</span><span class="w"> </span><span class="m">65</span>
<span class="w"> </span><span class="nv">%c</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%arg1</span><span class="p">,</span><span class="w"> </span><span class="m">110</span>
<span class="w"> </span><span class="nv">%neg</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">sub</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="m">0</span><span class="p">,</span><span class="w"> </span><span class="nv">%c</span>
<span class="w"> </span><span class="nv">%comp</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">sub</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%neg</span><span class="p">,</span><span class="w"> </span><span class="m">1</span>
<span class="w"> </span><span class="nv">%d</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%comp</span><span class="p">,</span><span class="w"> </span><span class="m">81</span>
<span class="w"> </span><span class="nv">%sum1</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%b</span><span class="p">,</span><span class="w"> </span><span class="nv">%d</span>
<span class="w"> </span><span class="nv">%sum2</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%sum1</span><span class="p">,</span><span class="w"> </span><span class="nv">%c</span>
<span class="w"> </span><span class="nv">%sum3</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%sum2</span><span class="p">,</span><span class="w"> </span><span class="m">-65</span>
<span class="w"> </span><span class="nv">%r</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">xor</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%sum3</span><span class="p">,</span><span class="w"> </span><span class="m">-1</span>
<span class="w"> </span><span class="k">ret</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%r</span>
<span class="p">}</span>
</code></pre></div>
<p>The new code is now a mix of variables, arithmetic, and bitwise operations; this is known as <a href="https://theses.hal.science/tel-01623849/document">Mixed Boolean Arithmetic</a> (MBA), and our example is, in fact, a semi-linear MBA used for constant obfuscation.</p>
<p>Now the optimizer can't figure out that this is a constant expression (even if it simplifies it a bit):</p>
<p><code>opt sample02.ll -O2 -S</code></p>
<div class="highlight"><pre><span></span><code><span class="k">define</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="vg">@mystery</span><span class="p">(</span><span class="kt">i8</span><span class="w"> </span><span class="nv">%arg1</span><span class="p">)</span><span class="w"> </span><span class="k">local_unnamed_addr</span><span class="w"> </span><span class="vg">#0</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nv">%c</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%arg1</span><span class="p">,</span><span class="w"> </span><span class="m">110</span>
<span class="w"> </span><span class="nv">%comp</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">xor</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%c</span><span class="p">,</span><span class="w"> </span><span class="m">-1</span>
<span class="w"> </span><span class="nv">%d</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%comp</span><span class="p">,</span><span class="w"> </span><span class="m">81</span>
<span class="w"> </span><span class="nv nv-Anonymous">%1</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%arg1</span><span class="p">,</span><span class="w"> </span><span class="m">-65</span>
<span class="w"> </span><span class="nv">%sub.neg</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="k">nsw</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv nv-Anonymous">%1</span><span class="p">,</span><span class="w"> </span><span class="m">64</span>
<span class="w"> </span><span class="nv nv-Anonymous">%2</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="k">nsw</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%c</span><span class="p">,</span><span class="w"> </span><span class="nv">%d</span>
<span class="w"> </span><span class="nv">%r</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">sub</span><span class="w"> </span><span class="k">nsw</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%sub.neg</span><span class="p">,</span><span class="w"> </span><span class="nv nv-Anonymous">%2</span>
<span class="w"> </span><span class="k">ret</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%r</span>
<span class="p">}</span>
</code></pre></div>
<p>When viewed inside a decompiler the new complex expression now looks part of the functionality of the program. The interweaving with an existing value makes it hard for the decompiler to reason about the code. This is where using features in your reverse engineering tools to inform the decompiler about the state of certain values will help you to de-obfuscate this.</p>
<p>For now, the mystery value is once again secure; we require more work to figure it out before we can know the answer again.</p>
<h3 id="round-4-version-shock-llvm-18-vs-llvm-19">Round 4 — version shock LLVM 18 vs LLVM 19</h3>
<p>Up until now, we have been testing with <code>LLVM version 18.1.8</code>, but some time has passed in our contrived scenario, and we now have access to llvm 19 <code>LLVM version 19.1.7</code>. Let's rerun our command <code>opt sample02.ll -O2 -S</code></p>
<div class="highlight"><pre><span></span><code><span class="c">; ModuleID = 'sample02.ll'</span>
<span class="k">source_filename</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="s">"sample02.ll"</span>
<span class="c">; Function Attrs: mustprogress nofree norecurse nosync nounwind willreturn memory(none)</span>
<span class="k">define</span><span class="w"> </span><span class="k">noundef</span><span class="w"> </span><span class="err">range</span><span class="p">(</span><span class="kt">i8</span><span class="w"> </span><span class="m">-110</span><span class="p">,</span><span class="w"> </span><span class="m">112</span><span class="p">)</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="vg">@mystery</span><span class="p">(</span><span class="kt">i8</span><span class="w"> </span><span class="nv">%arg1</span><span class="p">)</span><span class="w"> </span><span class="k">local_unnamed_addr</span><span class="w"> </span><span class="vg">#0</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">ret</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="m">0</span>
<span class="p">}</span>
<span class="k">attributes</span><span class="w"> </span><span class="vg">#0</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="k">mustprogress</span><span class="w"> </span><span class="k">nofree</span><span class="w"> </span><span class="k">norecurse</span><span class="w"> </span><span class="k">nosync</span><span class="w"> </span><span class="k">nounwind</span><span class="w"> </span><span class="k">willreturn</span><span class="w"> </span><span class="err">memory</span><span class="p">(</span><span class="k">none</span><span class="p">)</span><span class="w"> </span><span class="p">}</span>
</code></pre></div>
<p>Wait ...what happened? The upgraded LLVM version can now reverse our encoded secret. If we run once more <code>opt sample02.ll -passes=early-cse -S</code> we get:</p>
<div class="highlight"><pre><span></span><code><span class="k">define</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="vg">@mystery</span><span class="p">(</span><span class="kt">i8</span><span class="w"> </span><span class="nv">%arg1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nv">%notx</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">xor</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%arg1</span><span class="p">,</span><span class="w"> </span><span class="m">-1</span>
<span class="w"> </span><span class="nv">%a</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%notx</span><span class="p">,</span><span class="w"> </span><span class="m">-101</span>
<span class="w"> </span><span class="nv">%b</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%a</span><span class="p">,</span><span class="w"> </span><span class="m">65</span>
<span class="w"> </span><span class="nv">%c</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%arg1</span><span class="p">,</span><span class="w"> </span><span class="m">110</span>
<span class="w"> </span><span class="nv">%neg</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">sub</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="m">0</span><span class="p">,</span><span class="w"> </span><span class="nv">%c</span>
<span class="w"> </span><span class="nv">%comp</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">sub</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%neg</span><span class="p">,</span><span class="w"> </span><span class="m">1</span>
<span class="w"> </span><span class="nv">%d</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%comp</span><span class="p">,</span><span class="w"> </span><span class="m">81</span>
<span class="w"> </span><span class="nv">%sum1</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%b</span><span class="p">,</span><span class="w"> </span><span class="nv">%d</span>
<span class="w"> </span><span class="nv">%sum2</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%sum1</span><span class="p">,</span><span class="w"> </span><span class="nv">%c</span>
<span class="w"> </span><span class="nv">%sum3</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%sum2</span><span class="p">,</span><span class="w"> </span><span class="m">-65</span>
<span class="w"> </span><span class="nv">%r</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">xor</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%sum3</span><span class="p">,</span><span class="w"> </span><span class="m">-1</span>
<span class="w"> </span><span class="k">ret</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%r</span>
<span class="p">}</span>
</code></pre></div>
<p>From the pipeline, we can see it's not the early-cse pass reverting our changes, but something new! We can figure out the exact cause for the optimization through the compiler explorer opt pipeline viewer.</p>
<p><code>opt sample02.ll -passes=instcombine,reassociate,instcombine,gvn,bdce -S</code></p>
<div class="highlight"><pre><span></span><code><span class="c">; ModuleID = 'sample02.ll'</span>
<span class="k">source_filename</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="s">"sample02.ll"</span>
<span class="k">define</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="vg">@mystery</span><span class="p">(</span><span class="kt">i8</span><span class="w"> </span><span class="nv">%arg1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">ret</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="m">0</span>
<span class="p">}</span>
</code></pre></div>
<p>A chain of just 5 passes: <code>InstCombine</code>, <code>Reassociate</code>, <code>InstCombine</code> again, <code>GVN</code>, and <code>BDCE</code>, is all it takes to unravel the expression down to zero. The culprit that triggers this is a single <a href="https://github.com/llvm/llvm-project/commit/cf5cd98e74275ed6198b4bbe76cec250ade2c186">commit</a> that landed in LLVM 19, adding several lines of code to InstCombine's <code>getFreelyInvertedImpl</code> function.</p>
<p>The new change is an example of the middle-end evolving and finding ways to augment optimization. The change teaches the pass to apply De Morgan's Law, <code>~(A | B) → (~A & ~B)</code>, allowing it to push a bitwise NOT recursively through OR and AND operations. Our obfuscation relied on exactly this: a final NOT tangled through nested ORs that the compiler couldn't see through. With DeMorgan inversion, the NOT layers peel away, and the expression flattens into a form where both sides of a subtraction are visibly identical. The compiler folds <code>x - x</code> to zero. A single rule of boolean algebra that LLVM 19 learned to apply collapsed our obfuscated expression. A beautiful example of how a seemingly small algebraic rule can unlock a much larger simplification</p>
<h3 id="round-5-one-constant-away-from-survival">Round 5 — one constant away from survival</h3>
<p>This is the arms race; obfuscation techniques that exploit gaps in compiler reasoning have an expiry date. The middle-end only gets smarter with each release. </p>
<p>One last fun remark, if we change both <code>65</code>s in our expression to <code>66</code> (and <code>-65</code> to <code>-66</code>) like so:</p>
<div class="highlight"><pre><span></span><code><span class="k">define</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="vg">@mystery</span><span class="p">(</span><span class="kt">i8</span><span class="w"> </span><span class="nv">%arg1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nv">%notx</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">xor</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%arg1</span><span class="p">,</span><span class="w"> </span><span class="m">-1</span>
<span class="w"> </span><span class="nv">%a</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%notx</span><span class="p">,</span><span class="w"> </span><span class="m">-101</span>
<span class="w"> </span><span class="nv">%b</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%a</span><span class="p">,</span><span class="w"> </span><span class="m">66</span>
<span class="w"> </span><span class="nv">%c</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%arg1</span><span class="p">,</span><span class="w"> </span><span class="m">110</span>
<span class="w"> </span><span class="nv">%neg</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">sub</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="m">0</span><span class="p">,</span><span class="w"> </span><span class="nv">%c</span>
<span class="w"> </span><span class="nv">%comp</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">sub</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%neg</span><span class="p">,</span><span class="w"> </span><span class="m">1</span>
<span class="w"> </span><span class="nv">%d</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%comp</span><span class="p">,</span><span class="w"> </span><span class="m">81</span>
<span class="w"> </span><span class="nv">%sum1</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%b</span><span class="p">,</span><span class="w"> </span><span class="nv">%d</span>
<span class="w"> </span><span class="nv">%sum2</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%sum1</span><span class="p">,</span><span class="w"> </span><span class="nv">%c</span>
<span class="w"> </span><span class="nv">%sum3</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%sum2</span><span class="p">,</span><span class="w"> </span><span class="m">-66</span>
<span class="w"> </span><span class="nv">%r</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="k">xor</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%sum3</span><span class="p">,</span><span class="w"> </span><span class="m">-1</span>
<span class="w"> </span><span class="k">ret</span><span class="w"> </span><span class="kt">i8</span><span class="w"> </span><span class="nv">%r</span>
<span class="p">}</span>
</code></pre></div>
<p>then it's enough to defeat the llvm 19 change. The expression still returns zero for every input, but the altered constants misalign the bit masks that InstCombine needs for its algebraic cancellation; the XOR residue left behind poisons the entire simplification chain. Not even the <code>opt</code> version 22.1.0 can fold it, even more intriguing.</p>
<h2 id="the-yin-yang_1">The yin-yang</h2>
<p>This post was a very simple primer on the topic, but it demonstrates that staying ahead means understanding not just what the compiler can do today, but what it will be able to do tomorrow. Whether you are building obfuscation or building tools to break it, the knowledge is the same: understanding how optimization passes reason about code is the foundation for both sides of the game.</p>
<p>That's the yin-yang at the heart of this whole story: the same machinery that helps hide intent can also reveal it, and each side sharpens the other over time. Better obfuscation pressures optimizers and analysis tools to evolve, while better optimization and de-obfuscation force obfuscation to become more thoughtful and less fragile. They are not opposites moving apart; they are complementary forces in the same cycle, and understanding that cycle is what makes you dangerous on either side.</p>
<p>If you made it this far, then I thank you for your time and hope you enjoyed the post :)</p>
<h2 id="acknowledgments">Acknowledgments</h2>
<p>Thanks to <a href="https://blog.quarkslab.com/author/beatrice-creusillet.html">Béatrice Creusillet</a> for her thorough review of my post. To Jean François for his encouragement, support and general jolliness :)</p>Clang Hardening Cheat Sheet - Ten Years Later2026-01-08T00:00:00+01:002026-01-08T00:00:00+01:00Daniel Jansontag:blog.quarkslab.com,2026-01-08:/clang-hardening-cheat-sheet-ten-years-later.html<p>Ten years ago, we published a <a href="https://blog.quarkslab.com/clang-hardening-cheat-sheet.html">Clang Hardening Cheat Sheet</a>. Since then, both the threat landscape and the Clang toolchain have evolved significantly. This blog post presents the new mitigations available in Clang to improve the security of your applications.</p><h2 id="introduction">Introduction</h2>
<p>Ten years ago, we published on this blog a <a href="https://blog.quarkslab.com/clang-hardening-cheat-sheet.html">Clang Hardening Cheat Sheet</a>. The original post walked through essential hardening techniques available at the time, such as <code>FORTIFY_SOURCE</code> checks, ASLR via position-independent code, stack protection (canaries and safe stack), Control Flow Integrity (CFI), GOT protection with RELRO/now, but also options to activate warnings about string formatting that could lead to potential attacks.</p>
<p>Since that article was published in early 2016, both the threat landscape and the Clang toolchain have evolved significantly.</p>
<p>To celebrate the 10th anniversary of the initial article, here is a new cheat sheet with some new hardening flags to improve security.</p>
<h2 id="tldr">TL;DR</h2>
<p>The <a href="https://best.openssf.org/">OpenSSF Best Practices Working Group</a> maintains a <a href="https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html">Compiler Options Hardening Guide for C and C++</a>. They recommend using the following set of options:</p>
<div class="highlight"><pre><span></span><code>-O2<span class="w"> </span>-Wall<span class="w"> </span>-Wformat<span class="w"> </span>-Wformat<span class="o">=</span><span class="m">2</span><span class="w"> </span>-Wconversion<span class="w"> </span>-Wimplicit-fallthrough<span class="w"> </span><span class="se">\</span>
-Werror<span class="o">=</span>format-security<span class="w"> </span><span class="se">\</span>
-U_FORTIFY_SOURCE<span class="w"> </span>-D_FORTIFY_SOURCE<span class="o">=</span><span class="m">3</span><span class="w"> </span><span class="se">\</span>
-D_GLIBCXX_ASSERTIONS<span class="w"> </span><span class="se">\</span>
-fstrict-flex-arrays<span class="o">=</span><span class="m">3</span><span class="w"> </span><span class="se">\</span>
-fstack-clash-protection<span class="w"> </span>-fstack-protector-strong<span class="w"> </span><span class="se">\</span>
-Wl,-z,nodlopen<span class="w"> </span>-Wl,-z,noexecstack<span class="w"> </span><span class="se">\</span>
-Wl,-z,relro<span class="w"> </span>-Wl,-z,now<span class="w"> </span><span class="se">\</span>
-Wl,--as-needed<span class="w"> </span>-Wl,--no-copy-dt-needed-entries
</code></pre></div>
<p>The options we recommended in our original blog post are still present, even if some have evolved (<code>-Wformat=2</code>, <code>-D_FORTIFY_SOURCE=3</code>). Others have been added:</p>
<ul>
<li>to enable some compiler warnings: <code>-Wconversion</code>, <code>-Wimplicit-fallthrough</code>;</li>
<li>to limit the attack surface by only linking against necessary libraries: <code>-Wl,--as-needed</code> <code>-Wl,--no-copy-dt-needed-entries</code>;</li>
<li>to harden the code against attacks: <code>-D_GLIBCXX_ASSERTIONS</code>, <code>-fstrict-flex-arrays=3</code>, <code>-fstack-clash-protection</code>, <code>-Wl,-z,nodlopen</code>, <code>-Wl,-z,noexecstack</code>.</li>
</ul>
<p>In this post, we present the additional hardening options recommended by the OpenSSF, as well as more specialized options that mitigate newer classes of exploits. We first go through several general protections when using the standard C/C++ libraries or loading libraries. Then we present mitigations against stack-based memory corruption, and the use of Return-Oriented Programming (ROP) or Jump-Oriented Programming (JOP) attacks. And finally, we talk about the defenses against speculative execution attacks.</p>
<h2 id="general-protections">General Protections</h2>
<h3 id="fortify">Fortify</h3>
<p>Since last time, the <code>-D_FORTIFY_SOURCE</code> flag has evolved. It now provides a level 3<sup id="fnref:RedHatDevGuideFortifySource"><a class="footnote-ref" href="#fn:RedHatDevGuideFortifySource">1</a></sup>, which includes all the security features of levels 1 and 2, along with additional checks for potentially dangerous code patterns. These additional checks are designed to detect a wider range of security issues, including:</p>
<ul>
<li>Unsafe usage of <code>memcpy</code> and <code>memmove</code></li>
<li>Risky use of <code>snprintf</code>, <code>vsnprintf</code>, and related functions</li>
<li>Potentially dangerous string manipulation functions such as <code>strtok</code>, <code>strncat</code>, and <code>strpbrk</code></li>
</ul>
<h3 id="c-library-hardening">C++ Library Hardening</h3>
<p>In addition to <code>-D_FORTIFY_SOURCE</code>, C++ developers can enable extra runtime checks in the standard library by defining <code>-D_GLIBCXX_ASSERTIONS</code>.</p>
<p>This option is one of several supported by the <code>libstdc++</code> library and it is used to enable various <code>NULL</code> pointer and bounds checking security features.</p>
<h3 id="nodlopen">nodlopen</h3>
<p>The <code>-Wl,-z,nodlopen</code> linker flag is used to <strong>prevent a shared object from being dynamically loaded at runtime using <code>dlopen()</code></strong>.</p>
<p>This can help in reducing an attacker’s ability to load and manipulate shared objects.</p>
<p>To test this flag, let's compile a simple shared object:</p>
<div class="highlight"><pre><span></span><code><span class="cp">#include</span><span class="w"> </span><span class="cpf"><stdio.h></span>
<span class="kt">void</span><span class="w"> </span><span class="nf">example_function</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"Hello from the dynamically loaded library!</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
</code></pre></div>
<p>We compile it with the <code>nodlopen</code> linker flag:</p>
<div class="highlight"><pre><span></span><code>clang<span class="w"> </span>-fPIC<span class="w"> </span>-c<span class="w"> </span>src/libexample.c<span class="w"> </span>-o<span class="w"> </span>libexample.o
clang<span class="w"> </span>-Wl,-z,nodlopen<span class="w"> </span>-shared<span class="w"> </span>libexample.o<span class="w"> </span>-o<span class="w"> </span>libexample.so
</code></pre></div>
<p>Now we can attempt to load it at runtime using dlopen:</p>
<div class="highlight"><pre><span></span><code><span class="cp">#include</span><span class="w"> </span><span class="cpf"><stdio.h></span>
<span class="cp">#include</span><span class="w"> </span><span class="cpf"><dlfcn.h></span>
<span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">handle</span><span class="p">;</span>
<span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="p">(</span><span class="o">*</span><span class="n">func</span><span class="p">)(</span><span class="kt">void</span><span class="p">);</span>
<span class="w"> </span><span class="cm">/* Load the shared library */</span>
<span class="w"> </span><span class="n">handle</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">dlopen</span><span class="p">(</span><span class="s">"./libexample.so"</span><span class="p">,</span><span class="w"> </span><span class="n">RTLD_NOW</span><span class="p">);</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">handle</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span><span class="w"> </span><span class="s">"dlopen failed: %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="w"> </span><span class="n">dlerror</span><span class="p">());</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="cm">/* Resolve the symbol */</span>
<span class="w"> </span><span class="n">func</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="p">(</span><span class="o">*</span><span class="p">)(</span><span class="kt">void</span><span class="p">))</span><span class="n">dlsym</span><span class="p">(</span><span class="n">handle</span><span class="p">,</span><span class="w"> </span><span class="s">"example_function"</span><span class="p">);</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">func</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span><span class="w"> </span><span class="s">"dlsym failed: %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="w"> </span><span class="n">dlerror</span><span class="p">());</span>
<span class="w"> </span><span class="n">dlclose</span><span class="p">(</span><span class="n">handle</span><span class="p">);</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="cm">/* Call the function */</span>
<span class="w"> </span><span class="n">func</span><span class="p">();</span>
<span class="w"> </span><span class="cm">/* Close the library */</span>
<span class="w"> </span><span class="n">dlclose</span><span class="p">(</span><span class="n">handle</span><span class="p">);</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div>
<p>When we run this program, we get the following error:</p>
<div class="highlight"><pre><span></span><code>╭─trikkss@archlinux<span class="w"> </span>~/work/clang-hardening/tests/nodlopen<span class="w"> </span>‹main*›
╰─➤<span class="w"> </span>./main
dlopen<span class="w"> </span>failed:<span class="w"> </span>./libexample.so:<span class="w"> </span>shared<span class="w"> </span>object<span class="w"> </span>cannot<span class="w"> </span>be<span class="w"> </span>dlopen<span class="o">()</span>ed
</code></pre></div>
<p>This demonstrates that the <code>nodlopen</code> flag effectively prevents the shared library from being loaded dynamically at runtime. Note that this does not prevent the library from being linked at build time:</p>
<div class="highlight"><pre><span></span><code>╭─trikkss@archlinux<span class="w"> </span>~/work/clang-hardening/tests/nodlopen<span class="w"> </span>‹main*›
╰─➤<span class="w"> </span>cat<span class="w"> </span>src/main2.c
<span class="c1">#include <stdio.h></span>
/*<span class="w"> </span>declaration<span class="w"> </span>of<span class="w"> </span>the<span class="w"> </span>library<span class="w"> </span><span class="k">function</span><span class="w"> </span>*/
void<span class="w"> </span>example_function<span class="o">(</span>void<span class="o">)</span><span class="p">;</span>
int<span class="w"> </span>main<span class="o">(</span>void<span class="o">)</span>
<span class="o">{</span>
<span class="w"> </span>example_function<span class="o">()</span><span class="p">;</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="m">0</span><span class="p">;</span>
<span class="o">}</span>
╭─trikkss@archlinux<span class="w"> </span>~/work/clang-hardening/tests/nodlopen<span class="w"> </span>‹main*›
╰─➤<span class="w"> </span>clang<span class="w"> </span>-o<span class="w"> </span>main2<span class="w"> </span>src/main2.c<span class="w"> </span><span class="nv">$PWD</span>/libexample.so
╭─trikkss@archlinux<span class="w"> </span>~/work/clang-hardening/tests/nodlopen<span class="w"> </span>‹main*›
╰─➤<span class="w"> </span>ldd<span class="w"> </span>main2
<span class="w"> </span>linux-vdso.so.1<span class="w"> </span><span class="o">(</span>0x00007fec50fe3000<span class="o">)</span>
<span class="w"> </span>/home/trikkss/work/clang-hardening/tests/nodlopen/libexample.so<span class="w"> </span><span class="o">(</span>0x00007fec50fd1000<span class="o">)</span>
<span class="w"> </span>libc.so.6<span class="w"> </span><span class="o">=</span>><span class="w"> </span>/usr/lib/libc.so.6<span class="w"> </span><span class="o">(</span>0x00007fec50c00000<span class="o">)</span>
<span class="w"> </span>/lib64/ld-linux-x86-64.so.2<span class="w"> </span><span class="o">=</span>><span class="w"> </span>/usr/lib64/ld-linux-x86-64.so.2<span class="w"> </span><span class="o">(</span>0x00007fec50fe5000<span class="o">)</span>
╭─trikkss@archlinux<span class="w"> </span>~/work/clang-hardening/tests/nodlopen<span class="w"> </span>‹main*›
╰─➤<span class="w"> </span>./main2
Hello<span class="w"> </span>from<span class="w"> </span>the<span class="w"> </span>dynamically<span class="w"> </span>loaded<span class="w"> </span>library!
</code></pre></div>
<p>If we inspect the dynamic section of the library, and compare it to the dynamic section of the same library generated without <code>nodlopen</code>, we can see that the main difference is the presence of the flag <code>NOOPEN</code>:</p>
<div class="highlight"><pre><span></span><code>2c2
<<span class="w"> </span>Dynamic<span class="w"> </span>section<span class="w"> </span>at<span class="w"> </span>offset<span class="w"> </span>0x2e08<span class="w"> </span>contains<span class="w"> </span><span class="m">24</span><span class="w"> </span>entries:
---
><span class="w"> </span>Dynamic<span class="w"> </span>section<span class="w"> </span>at<span class="w"> </span>offset<span class="w"> </span>0x2df8<span class="w"> </span>contains<span class="w"> </span><span class="m">25</span><span class="w"> </span>entries:
7c7
<<span class="w"> </span>0x0000000000000019<span class="w"> </span><span class="o">(</span>INIT_ARRAY<span class="o">)</span><span class="w"> </span>0x3df8
---
><span class="w"> </span>0x0000000000000019<span class="w"> </span><span class="o">(</span>INIT_ARRAY<span class="o">)</span><span class="w"> </span>0x3de8
9c9
<<span class="w"> </span>0x000000000000001a<span class="w"> </span><span class="o">(</span>FINI_ARRAY<span class="o">)</span><span class="w"> </span>0x3e00
---
><span class="w"> </span>0x000000000000001a<span class="w"> </span><span class="o">(</span>FINI_ARRAY<span class="o">)</span><span class="w"> </span>0x3df0
22a23
><span class="w"> </span>0x000000006ffffffb<span class="w"> </span><span class="o">(</span>FLAGS_1<span class="o">)</span><span class="w"> </span>Flags:<span class="w"> </span>NOOPEN
</code></pre></div>
<p>The protection may therefore be easy to bypass: if an attacker has write access to the library in question, they can easily patch it.</p>
<h2 id="defenses-against-stack-based-memory-corruption_1">Defenses Against Stack-Based Memory Corruption</h2>
<h3 id="non-executable-stack-nx">Non-Executable Stack (NX)</h3>
<p>One of the oldest and simplest exploit mitigation mechanisms is the non-executable stack. The idea is to prevent code execution directly from the stack, which was a common exploitation technique in early stack-based buffer overflow attacks.</p>
<p>When a binary is compiled or linked with the <code>noexecstack</code> flag, the stack memory region is marked as non-executable. As a result, even if an attacker manages to inject shellcode onto the stack and redirect execution to it, the CPU will refuse to execute it and will raise a fault.</p>
<p>Today, this protection is enabled by default on most modern systems and toolchains.</p>
<h3 id="stack-clash-vulnerabilities">Stack clash vulnerabilities</h3>
<p>During its execution, a program uses the stack memory region to store data. This memory region is special because it grows automatically as the program needs more stack memory. To prevent uncontrolled growth, modern operating systems place guard pages below the stack, which trigger a fault when the stack grows too far.</p>
<p>A <strong>stack clash occurs when the stack grows by a very large amount at once and skips over these guard pages</strong>. As a result, the stack can collide with another memory region, such as the heap or a memory-mapped area, without triggering an immediate fault. This can cause stack writes to corrupt adjacent memory regions, or allow other memory regions to overlap with the stack, leading to memory corruption and potential exploitation.</p>
<p>The Stack Clash vulnerability was publicly disclosed on <strong>June 19, 2017</strong> by the Qualys research team<sup id="fnref:QualysStackClash"><a class="footnote-ref" href="#fn:QualysStackClash">2</a></sup>. </p>
<h3 id="stack-clash-protection">Stack Clash Protection</h3>
<p>LLVM's solution to this problem is to divide large allocations into smaller ones of size <code>PAGE_SIZE</code> as described in this <a href="https://blog.llvm.org/posts/2021-01-05-stack-clash-protection/">blog post</a>. This can be done by adding the <code>-fstack-clash-protection</code> compilation flag.</p>
<p>To observe this behavior, we can compile a simple C program that allocates a large buffer on the stack:</p>
<div class="highlight"><pre><span></span><code><span class="cp">#include</span><span class="w"> </span><span class="cpf"><stdio.h></span>
<span class="cp">#include</span><span class="w"> </span><span class="cpf"><sys/user.h></span>
<span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="n">buffer</span><span class="p">[</span><span class="n">PAGE_SIZE</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="mi">10</span><span class="p">];</span>
<span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"hello world</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div>
<p>Without stack clash protection enabled, the generated assembly looks like this:</p>
<div class="highlight"><pre><span></span><code><span class="err">0000000000401130</span><span class="w"> </span><span class="err"><</span><span class="nf">main</span><span class="err">></span><span class="p">:</span>
<span class="w"> </span><span class="err">401130:</span><span class="w"> </span><span class="err">55</span><span class="w"> </span><span class="nf">push</span><span class="w"> </span><span class="no">rbp</span>
<span class="w"> </span><span class="err">401131:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">89</span><span class="w"> </span><span class="nf">e5</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rbp</span><span class="p">,</span><span class="no">rsp</span>
<span class="w"> </span><span class="err">401134:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">81</span><span class="w"> </span><span class="nf">ec</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="no">a0</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">sub</span><span class="w"> </span><span class="no">rsp</span><span class="p">,</span><span class="mi">0xa010</span>
<span class="w"> </span><span class="err">40113</span><span class="nl">b:</span><span class="w"> </span><span class="nf">c7</span><span class="w"> </span><span class="mi">45</span><span class="w"> </span><span class="no">fc</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">DWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x4</span><span class="p">],</span><span class="mi">0x0</span>
<span class="w"> </span><span class="err">401142:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">8</span><span class="nf">d</span><span class="w"> </span><span class="mi">3</span><span class="no">d</span><span class="w"> </span><span class="no">bb</span><span class="w"> </span><span class="mi">0</span><span class="no">e</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">lea</span><span class="w"> </span><span class="no">rdi</span><span class="p">,[</span><span class="no">rip</span><span class="err">+</span><span class="mi">0xebb</span><span class="p">]</span><span class="w"> </span><span class="c1"># 402004 <_IO_stdin_used+0x4></span>
<span class="w"> </span><span class="err">401149:</span><span class="w"> </span><span class="nf">b0</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">al</span><span class="p">,</span><span class="mi">0x0</span>
<span class="w"> </span><span class="err">40114</span><span class="nl">b:</span><span class="w"> </span><span class="nf">e8</span><span class="w"> </span><span class="no">e0</span><span class="w"> </span><span class="no">fe</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">call</span><span class="w"> </span><span class="mh">401030</span> <span class="p"><</span><span class="no">printf@plt</span><span class="p">></span>
<span class="w"> </span><span class="err">401150:</span><span class="w"> </span><span class="err">31</span><span class="w"> </span><span class="nf">c0</span><span class="w"> </span><span class="no">xor</span><span class="w"> </span><span class="no">eax</span><span class="p">,</span><span class="no">eax</span>
<span class="w"> </span><span class="err">401152:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">81</span><span class="w"> </span><span class="nf">c4</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="no">a0</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">add</span><span class="w"> </span><span class="no">rsp</span><span class="p">,</span><span class="mi">0xa010</span>
<span class="w"> </span><span class="err">401159:</span><span class="w"> </span><span class="err">5</span><span class="nf">d</span><span class="w"> </span><span class="no">pop</span><span class="w"> </span><span class="no">rbp</span>
<span class="w"> </span><span class="err">40115</span><span class="nl">a:</span><span class="w"> </span><span class="nf">c3</span><span class="w"> </span><span class="no">ret</span>
</code></pre></div>
<p>Here, we can clearly identify a single large stack allocation performed by the instruction <code>sub rsp, 0xa010</code>, which decreases the stack pointer by more than ten pages at once.</p>
<p>Now, we can take a look at the hardened version of this program:</p>
<div class="highlight"><pre><span></span><code><span class="err">0000000000401140</span><span class="w"> </span><span class="err"><</span><span class="nf">main</span><span class="err">></span><span class="p">:</span>
<span class="w"> </span><span class="err">401140:</span><span class="w"> </span><span class="err">55</span><span class="w"> </span><span class="nf">push</span><span class="w"> </span><span class="no">rbp</span>
<span class="w"> </span><span class="err">401141:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">89</span><span class="w"> </span><span class="nf">e5</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rbp</span><span class="p">,</span><span class="no">rsp</span>
<span class="w"> </span><span class="err">401144:</span><span class="w"> </span><span class="err">49</span><span class="w"> </span><span class="err">89</span><span class="w"> </span><span class="nf">e3</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">r11</span><span class="p">,</span><span class="no">rsp</span>
<span class="w"> </span><span class="err">401147:</span><span class="w"> </span><span class="err">49</span><span class="w"> </span><span class="err">81</span><span class="w"> </span><span class="nf">eb</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">a0</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">sub</span><span class="w"> </span><span class="no">r11</span><span class="p">,</span><span class="mi">0xa000</span>
<span class="w"> </span><span class="err">40114</span><span class="nl">e:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">81</span><span class="w"> </span><span class="nf">ec</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">sub</span><span class="w"> </span><span class="no">rsp</span><span class="p">,</span><span class="mi">0x1000</span>
<span class="w"> </span><span class="err">401155:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="nf">c7</span><span class="w"> </span><span class="mi">04</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rsp</span><span class="p">],</span><span class="mi">0x0</span>
<span class="w"> </span><span class="err">40115</span><span class="nl">c:</span><span class="w"> </span><span class="err">00</span>
<span class="w"> </span><span class="err">40115</span><span class="nl">d:</span><span class="w"> </span><span class="err">4</span><span class="nf">c</span><span class="w"> </span><span class="mi">39</span><span class="w"> </span><span class="no">dc</span><span class="w"> </span><span class="no">cmp</span><span class="w"> </span><span class="no">rsp</span><span class="p">,</span><span class="no">r11</span>
<span class="w"> </span><span class="err">401160:</span><span class="w"> </span><span class="err">75</span><span class="w"> </span><span class="nf">ec</span><span class="w"> </span><span class="no">jne</span><span class="w"> </span><span class="mh">40114e</span> <span class="p"><</span><span class="no">main</span><span class="p">+</span><span class="mi">0xe</span><span class="p">></span>
<span class="w"> </span><span class="err">401162:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">83</span><span class="w"> </span><span class="nf">ec</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="no">sub</span><span class="w"> </span><span class="no">rsp</span><span class="p">,</span><span class="mi">0x20</span>
<span class="w"> </span><span class="err">401166:</span><span class="w"> </span><span class="err">64</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">8</span><span class="nf">b</span><span class="w"> </span><span class="mi">04</span><span class="w"> </span><span class="mi">25</span><span class="w"> </span><span class="mi">28</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rax</span><span class="p">,</span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="no">fs</span><span class="p">:</span><span class="mi">0x28</span>
<span class="w"> </span><span class="err">40116</span><span class="nl">d:</span><span class="w"> </span><span class="err">00</span><span class="w"> </span><span class="err">00</span>
<span class="w"> </span><span class="err">40116</span><span class="nl">f:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">89</span><span class="w"> </span><span class="err">45</span><span class="w"> </span><span class="nf">f8</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x8</span><span class="p">],</span><span class="no">rax</span>
<span class="w"> </span><span class="err">401173:</span><span class="w"> </span><span class="nf">c7</span><span class="w"> </span><span class="mi">85</span><span class="w"> </span><span class="no">ec</span><span class="w"> </span><span class="mi">5</span><span class="no">f</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">DWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0xa014</span><span class="p">],</span><span class="mi">0x0</span>
<span class="w"> </span><span class="err">40117</span><span class="nl">a:</span><span class="w"> </span><span class="err">00</span><span class="w"> </span><span class="err">00</span><span class="w"> </span><span class="err">00</span>
<span class="w"> </span><span class="err">40117</span><span class="nl">d:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">8</span><span class="nf">d</span><span class="w"> </span><span class="mi">3</span><span class="no">d</span><span class="w"> </span><span class="mi">80</span><span class="w"> </span><span class="mi">0</span><span class="no">e</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">lea</span><span class="w"> </span><span class="no">rdi</span><span class="p">,[</span><span class="no">rip</span><span class="err">+</span><span class="mi">0xe80</span><span class="p">]</span><span class="w"> </span><span class="c1"># 402004 <_IO_stdin_used+0x4></span>
<span class="w"> </span><span class="err">401184:</span><span class="w"> </span><span class="err">31</span><span class="w"> </span><span class="nf">c0</span><span class="w"> </span><span class="no">xor</span><span class="w"> </span><span class="no">eax</span><span class="p">,</span><span class="no">eax</span>
<span class="w"> </span><span class="err">401186:</span><span class="w"> </span><span class="nf">e8</span><span class="w"> </span><span class="no">b5</span><span class="w"> </span><span class="no">fe</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">call</span><span class="w"> </span><span class="mh">401040</span> <span class="p"><</span><span class="no">printf@plt</span><span class="p">></span>
<span class="w"> </span><span class="err">40118</span><span class="nl">b:</span><span class="w"> </span><span class="err">64</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">8</span><span class="nf">b</span><span class="w"> </span><span class="mi">04</span><span class="w"> </span><span class="mi">25</span><span class="w"> </span><span class="mi">28</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rax</span><span class="p">,</span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="no">fs</span><span class="p">:</span><span class="mi">0x28</span>
<span class="w"> </span><span class="err">401192:</span><span class="w"> </span><span class="err">00</span><span class="w"> </span><span class="err">00</span>
<span class="w"> </span><span class="err">401194:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">8</span><span class="nf">b</span><span class="w"> </span><span class="mi">4</span><span class="no">d</span><span class="w"> </span><span class="no">f8</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rcx</span><span class="p">,</span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x8</span><span class="p">]</span>
<span class="w"> </span><span class="err">401198:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">39</span><span class="w"> </span><span class="nf">c8</span><span class="w"> </span><span class="no">cmp</span><span class="w"> </span><span class="no">rax</span><span class="p">,</span><span class="no">rcx</span>
<span class="w"> </span><span class="err">40119</span><span class="nl">b:</span><span class="w"> </span><span class="err">75</span><span class="w"> </span><span class="err">0</span><span class="nf">b</span><span class="w"> </span><span class="no">jne</span><span class="w"> </span><span class="mh">4011a8</span> <span class="p"><</span><span class="no">main</span><span class="p">+</span><span class="mi">0x68</span><span class="p">></span>
<span class="w"> </span><span class="err">40119</span><span class="nl">d:</span><span class="w"> </span><span class="err">31</span><span class="w"> </span><span class="nf">c0</span><span class="w"> </span><span class="no">xor</span><span class="w"> </span><span class="no">eax</span><span class="p">,</span><span class="no">eax</span>
<span class="w"> </span><span class="err">40119</span><span class="nl">f:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">81</span><span class="w"> </span><span class="nf">c4</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="no">a0</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">add</span><span class="w"> </span><span class="no">rsp</span><span class="p">,</span><span class="mi">0xa020</span>
<span class="w"> </span><span class="err">4011</span><span class="nl">a6:</span><span class="w"> </span><span class="err">5</span><span class="nf">d</span><span class="w"> </span><span class="no">pop</span><span class="w"> </span><span class="no">rbp</span>
<span class="w"> </span><span class="err">4011</span><span class="nl">a7:</span><span class="w"> </span><span class="nf">c3</span><span class="w"> </span><span class="no">ret</span>
<span class="w"> </span><span class="err">4011</span><span class="nl">a8:</span><span class="w"> </span><span class="nf">e8</span><span class="w"> </span><span class="mi">83</span><span class="w"> </span><span class="no">fe</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">call</span><span class="w"> </span><span class="mh">401030</span> <span class="p"><</span><span class="no">__stack_chk_fail@plt</span><span class="p">></span>
</code></pre></div>
<p>We can see that the single stack allocation (<code>sub rsp, 0xa10</code>) has been replaced by a loop (address <code>40114e</code>) that grows the stack by 0x1000 bytes (size of a memory page) per iteration until the stack pointer reaches the target address, touching each page along the way (<code>mov QWORD PTR [rsp],0x0</code>) to ensure that all guard pages are accessed and no stack guard is skipped.</p>
<h2 id="defenses-against-code-reuse-attacks-ropjop_1">Defenses Against Code-Reuse Attacks (ROP/JOP)</h2>
<h3 id="code-reuse-attacks">Code-Reuse Attacks</h3>
<p>Modern exploitation techniques rarely rely on injecting new code. Instead, attackers increasingly reuse existing code already present in the binary or in linked libraries. This class of attacks, commonly referred to as code-reuse attacks, bypasses traditional defenses such as non-executable stack memory (NX) by chaining together short instruction sequences called gadgets that end with indirect control-flow transfers.</p>
<p>The most well-known form is <strong>Return-Oriented Programming (ROP)</strong>, where execution is redirected through a sequence of RET instructions by overwriting the return address of a function. Variants such as <strong>Jump-Oriented Programming (JOP)</strong> and <strong>Call-Oriented Programming (COP)</strong> rely on indirect jumps or calls instead.</p>
<p>To mitigate these issues, modern defenses focus on controlling where indirect branches are allowed to land, protecting return addresses, or reducing the usefulness of available gadgets. Rather than preventing memory corruption itself, these mechanisms aim to constrain how corrupted control flow can be exploited.</p>
<p>In the following sections, we will examine how Clang compilation flags implement these strategies through hardware-assisted features and compiler-driven transformations, and how they can be combined to harden binaries against code-reuse attacks in practice.</p>
<p>If you want to learn more about how ROP works, I recommend the following blog post: <a href="https://en.hackndo.com/return-oriented-programming/">ROP - Return-Oriented Programming by Pixis</a>.</p>
<h3 id="control-flow-protection-x86">Control-Flow Protection (x86)</h3>
<p>Modern x86_64 CPUs from Intel support Control-flow Enforcement Technology (CET), a hardware-assisted mechanism to protect against code-reuse attacks. CET combines two complementary features:</p>
<ul>
<li><strong>IBT (Indirect Branch Tracking)</strong>: protects against Jump/Call-Oriented Programming (JOP) attacks.</li>
<li><strong>Shadow Stack (SHSTK)</strong>: protects against Return-Oriented Programming (ROP) attacks.</li>
</ul>
<p>Clang exposes CET through the <code>-fcf-protection</code> flag, which can take several values: </p>
<ul>
<li><code>-fcf-protection=return</code>: enables shadow stack protection (SHSTK);</li>
<li><code>-fcf-protection=branch</code>: enables endbranch (EB) generation (IBT);</li>
<li><code>-fcf-protection=full</code>: enables shadow stack protection and endbranch (EB) generation; this is the same as specifying this compiler option with no keyword;</li>
<li><code>-fcf-protection=none</code>: disables Intel CET protection.</li>
</ul>
<p>To study this security mechanism, consider the following trivial function: </p>
<div class="highlight"><pre><span></span><code><span class="kt">void</span><span class="w"> </span><span class="nf">hello_world</span><span class="p">()</span>
<span class="p">{</span>
<span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"hello world</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
</code></pre></div>
<p>When compiled without CET, the assembly code looks like:</p>
<div class="highlight"><pre><span></span><code><span class="err">0000000000401130</span><span class="w"> </span><span class="err"><</span><span class="nf">hello_world</span><span class="err">></span><span class="p">:</span>
<span class="w"> </span><span class="err">401130:</span><span class="w"> </span><span class="err">55</span><span class="w"> </span><span class="nf">push</span><span class="w"> </span><span class="no">rbp</span>
<span class="w"> </span><span class="err">401131:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">89</span><span class="w"> </span><span class="nf">e5</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rbp</span><span class="p">,</span><span class="no">rsp</span>
<span class="w"> </span><span class="err">401134:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">8</span><span class="nf">d</span><span class="w"> </span><span class="mi">3</span><span class="no">d</span><span class="w"> </span><span class="no">c9</span><span class="w"> </span><span class="mi">0</span><span class="no">e</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">lea</span><span class="w"> </span><span class="no">rdi</span><span class="p">,[</span><span class="no">rip</span><span class="err">+</span><span class="mi">0xec9</span><span class="p">]</span><span class="w"> </span><span class="c1"># 402004 <_IO_stdin_used+0x4></span>
<span class="w"> </span><span class="err">40113</span><span class="nl">b:</span><span class="w"> </span><span class="nf">b0</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">al</span><span class="p">,</span><span class="mi">0x0</span>
<span class="w"> </span><span class="err">40113</span><span class="nl">d:</span><span class="w"> </span><span class="nf">e8</span><span class="w"> </span><span class="no">ee</span><span class="w"> </span><span class="no">fe</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">call</span><span class="w"> </span><span class="mh">401030</span> <span class="p"><</span><span class="no">printf@plt</span><span class="p">></span>
<span class="w"> </span><span class="err">401142:</span><span class="w"> </span><span class="err">5</span><span class="nf">d</span><span class="w"> </span><span class="no">pop</span><span class="w"> </span><span class="no">rbp</span>
<span class="w"> </span><span class="err">401143:</span><span class="w"> </span><span class="nf">c3</span><span class="w"> </span><span class="no">ret</span>
</code></pre></div>
<p>and compiled with <code>-fcf-protection=full</code>, it looks like:</p>
<div class="highlight"><pre><span></span><code><span class="err">0000000000001150</span><span class="w"> </span><span class="err"><</span><span class="nf">hello_world</span><span class="err">></span><span class="p">:</span>
<span class="w"> </span><span class="err">1150:</span><span class="w"> </span><span class="nf">f3</span><span class="w"> </span><span class="mi">0</span><span class="no">f</span><span class="w"> </span><span class="mi">1</span><span class="no">e</span><span class="w"> </span><span class="no">fa</span><span class="w"> </span><span class="no">endbr64</span>
<span class="w"> </span><span class="err">1154:</span><span class="w"> </span><span class="err">55</span><span class="w"> </span><span class="nf">push</span><span class="w"> </span><span class="no">rbp</span>
<span class="w"> </span><span class="err">1155:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">89</span><span class="w"> </span><span class="nf">e5</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rbp</span><span class="p">,</span><span class="no">rsp</span>
<span class="w"> </span><span class="err">1158:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">8</span><span class="nf">d</span><span class="w"> </span><span class="mi">3</span><span class="no">d</span><span class="w"> </span><span class="no">a5</span><span class="w"> </span><span class="mi">0</span><span class="no">e</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">lea</span><span class="w"> </span><span class="no">rdi</span><span class="p">,[</span><span class="no">rip</span><span class="err">+</span><span class="mi">0xea5</span><span class="p">]</span><span class="w"> </span><span class="c1"># 2004 <_IO_stdin_used+0x4></span>
<span class="w"> </span><span class="err">115</span><span class="nl">f:</span><span class="w"> </span><span class="nf">b0</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">al</span><span class="p">,</span><span class="mi">0x0</span>
<span class="w"> </span><span class="err">1161:</span><span class="w"> </span><span class="nf">e8</span><span class="w"> </span><span class="no">da</span><span class="w"> </span><span class="no">fe</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">call</span><span class="w"> </span><span class="mh">1040</span> <span class="p"><</span><span class="no">printf@plt</span><span class="p">></span>
<span class="w"> </span><span class="err">1166:</span><span class="w"> </span><span class="err">5</span><span class="nf">d</span><span class="w"> </span><span class="no">pop</span><span class="w"> </span><span class="no">rbp</span>
<span class="w"> </span><span class="err">1167:</span><span class="w"> </span><span class="nf">c3</span><span class="w"> </span><span class="no">ret</span>
</code></pre></div>
<p>The only difference is the <code>ENDBR64</code> instruction at the beginning, which acts as a landing pad for indirect branches under IBT.</p>
<p>If we look at the properties of our ELFs, the hardened binary declares support for <strong>IBT</strong> and <strong>SHSTK</strong>:</p>
<div class="highlight"><pre><span></span><code><span class="err">╭─</span><span class="n">trikkss</span><span class="nv">@archlinux</span><span class="w"> </span><span class="o">~/</span><span class="k">work</span><span class="o">/</span><span class="n">clang</span><span class="o">-</span><span class="n">hardening</span><span class="o">/</span><span class="n">tests</span><span class="o">/</span><span class="n">fcf</span><span class="o">-</span><span class="n">protection</span><span class="w"> </span><span class="err">‹</span><span class="n">main</span><span class="o">*</span><span class="err">›</span>
<span class="err">╰─➤</span><span class="w"> </span><span class="n">readelf</span><span class="w"> </span><span class="o">-</span><span class="n">n</span><span class="w"> </span><span class="n">main</span><span class="o">-</span><span class="n">hardened</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">grep</span><span class="w"> </span><span class="n">Properties</span>
<span class="w"> </span><span class="nl">Properties</span><span class="p">:</span><span class="w"> </span><span class="n">x86</span><span class="w"> </span><span class="nl">feature</span><span class="p">:</span><span class="w"> </span><span class="n">IBT</span><span class="p">,</span><span class="w"> </span><span class="n">SHSTK</span>
<span class="err">╭─</span><span class="n">trikkss</span><span class="nv">@archlinux</span><span class="w"> </span><span class="o">~/</span><span class="k">work</span><span class="o">/</span><span class="n">clang</span><span class="o">-</span><span class="n">hardening</span><span class="o">/</span><span class="n">tests</span><span class="o">/</span><span class="n">fcf</span><span class="o">-</span><span class="n">protection</span><span class="w"> </span><span class="err">‹</span><span class="n">main</span><span class="o">*</span><span class="err">›</span>
<span class="err">╰─➤</span><span class="w"> </span><span class="n">readelf</span><span class="w"> </span><span class="o">-</span><span class="n">n</span><span class="w"> </span><span class="n">main</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">grep</span><span class="w"> </span><span class="n">Properties</span>
<span class="w"> </span><span class="nl">Properties</span><span class="p">:</span><span class="w"> </span><span class="n">x86</span><span class="w"> </span><span class="n">ISA</span><span class="w"> </span><span class="nl">needed</span><span class="p">:</span><span class="w"> </span><span class="n">x86</span><span class="o">-</span><span class="mi">64</span><span class="o">-</span><span class="n">baseline</span>
</code></pre></div>
<blockquote>
<p>⚠️ Today in the 64-bit linux kernel, only <strong>userspace shadow stack</strong> and <strong>kernel IBT</strong> are supported (<a href="https://www.kernel.org/doc/html/next/x86/shstk.html">kernel.org - Control-flow Enforcement Technology (CET) Shadow Stack</a>).</p>
<p>Windows doesn't support Indirect Branch Tracking</p>
</blockquote>
<h4 id="indirect-branch-tracking">Indirect Branch Tracking</h4>
<p>When IBT is enabled, the compiler inserts landing pads at the beginning of functions that may be the target of an indirect branch. These landing pads are represented by the <em>end branch</em> instructions (<code>ENDBR32</code> and <code>ENDBR64</code>). On Intel processors, if this property is enabled, the program can only jump to an <em>end branch</em>. This prevents attackers from using JOP gadgets because they are only allowed to jump to addresses marked by <code>ENDBR</code> instructions.</p>
<p>It is still possible to hijack the program’s control flow, but the options available to an attacker are limited. Additionally, this protection does not prevent ROP attacks.</p>
<h4 id="shadow-stack">Shadow Stack</h4>
<p>Shadow stack, also referred to as SHSTK, is a backward-edge code flow integrity protection feature available in both Intel and AMD processors. Its main purpose is to protect the integrity of return addresses on the call stack to prevent return-oriented programming (ROP) attacks.</p>
<p>The way it works is conceptually straightforward: every time a <code>CALL</code> instruction is executed, the CPU pushes the return address not only onto the regular stack but also onto a separate, protected “shadow” stack. Later, when a <code>RET</code> instruction is executed, the CPU checks that the return address on the normal stack matches the one on the shadow stack. If the two addresses differ, a fault is triggered, preventing the program from returning to an attacker-controlled location.</p>
<h3 id="control-flow-protection-arm">Control-Flow Protection (ARM)</h3>
<p>Just as x86 systems can be protected using CET, ARM provides equivalent hardware-assisted mechanisms through <strong>PAC (Pointer Authentication Codes)</strong> and <strong>BTI (Branch Target Identification)</strong>. The Clang flag <code>-mbranch-protection</code> enables these protections, which are designed to prevent code-reuse attacks such as ROP, JOP, and COP on ARM systems.</p>
<p>Clang exposes PAC and BIT through the <code>-mbranch-protection</code> flag, which can take several values:</p>
<ul>
<li><strong>none</strong> : Disables all types of branch protection.</li>
<li><strong>standard</strong> : Enables Branch Target Identification (BTI) and Pointer Authentication Code (PAC) branch protection</li>
<li><strong>bti</strong> : Enables branch protection using BTI.</li>
<li><strong>pac-ret</strong>: Enables branch protection using PAC.</li>
</ul>
<p>For more information on these flags, you can consult the <a href="https://developer.arm.com/documentation/107976/20-1-0/Clang-reference/clang-command-line-options/-mbranch-protection">ARM Developer Manual</a>.</p>
<h4 id="branch-target-identification-bti">Branch Target Identification (BTI)</h4>
<p>Branch Target Identification (BTI) is an architectural hardware security feature that restricts the set of valid destination addresses for indirect branch instructions. By enforcing where indirect calls and jumps are allowed to land, BTI helps mitigate <strong>Jump-Oriented Programming (JOP)</strong> and <strong>Call-Oriented Programming (COP)</strong> attacks.</p>
<p>To examine how this mechanism works in practice, we can once again compile a trivial function and inspect the generated assembly code.</p>
<p>Here is the assembly code of a simple hello world compiled without BTI :</p>
<div class="highlight"><pre><span></span><code><span class="nf">STP</span><span class="w"> </span><span class="no">X29</span><span class="p">,</span><span class="w"> </span><span class="no">X30</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="no">SP</span><span class="p">,</span><span class="mi">#-0</span><span class="no">x10</span><span class="err">+</span><span class="no">var_s0</span><span class="p">]!</span>
<span class="nf">MOV</span><span class="w"> </span><span class="no">X29</span><span class="p">,</span><span class="w"> </span><span class="no">SP</span>
<span class="nf">ADRL</span><span class="w"> </span><span class="no">X0</span><span class="p">,</span><span class="w"> </span><span class="no">aHelloWorld</span><span class="w"> </span><span class="c1">; "hello world\n"</span>
<span class="nf">BL</span><span class="w"> </span><span class="no">.printf</span>
<span class="nf">LDP</span><span class="w"> </span><span class="no">X29</span><span class="p">,</span><span class="w"> </span><span class="no">X30</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="no">SP</span><span class="err">+</span><span class="no">var_s0</span><span class="p">],</span><span class="mi">#0</span><span class="no">x10</span>
<span class="nf">RET</span>
</code></pre></div>
<p>And here is the hardened version compiled with BTI enabled:</p>
<div class="highlight"><pre><span></span><code><span class="nf">BTI</span><span class="w"> </span><span class="no">c</span>
<span class="nf">STP</span><span class="w"> </span><span class="no">X29</span><span class="p">,</span><span class="w"> </span><span class="no">X30</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="no">SP</span><span class="p">,</span><span class="mi">#-0</span><span class="no">x10</span><span class="err">+</span><span class="no">var_s0</span><span class="p">]!</span>
<span class="nf">MOV</span><span class="w"> </span><span class="no">X29</span><span class="p">,</span><span class="w"> </span><span class="no">SP</span>
<span class="nf">ADRL</span><span class="w"> </span><span class="no">X0</span><span class="p">,</span><span class="w"> </span><span class="no">aHelloWorld</span><span class="w"> </span><span class="c1">; "hello world\n"</span>
<span class="nf">BL</span><span class="w"> </span><span class="no">.printf</span>
<span class="nf">LDP</span><span class="w"> </span><span class="no">X29</span><span class="p">,</span><span class="w"> </span><span class="no">X30</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="no">SP</span><span class="err">+</span><span class="no">var_s0</span><span class="p">],</span><span class="mi">#0</span><span class="no">x10</span>
<span class="nf">RET</span>
</code></pre></div>
<p>The only visible difference is the addition of a BTI instruction at the beginning of the function. This instruction plays a role similar to the <code>ENDBR</code> instruction on x86: every indirect branch must land on a valid <code>BTI</code> instruction, otherwise execution is aborted.</p>
<p>Unlike <code>ENDBR</code>, the <code>BTI</code> instruction takes an operand that specifies which types of indirect branches are allowed to target this location.</p>
<p>The operand controls the value of the <code>PSTATE.BTYPE</code> register, a 2-bit field that encodes the type of indirect control flow:</p>
<ul>
<li><code>00</code> - none</li>
<li><code>01</code> - CALLS (c)</li>
<li><code>10</code> - JUMPS (j)</li>
<li><code>11</code> - JUMPS and CALLS (jc)</li>
</ul>
<p>In this example, the <code>BTI c</code> instruction indicates that only indirect calls are allowed to branch to this function entry point. Indirect jumps targeting this address would result in a fault.</p>
<p>By enforcing these constraints, BTI significantly reduces the set of valid gadget entry points available to an attacker. While it does not completely prevent control-flow hijacking, it limits exploitation to a restricted set of legitimate targets, making JOP and COP chains much harder to construct reliably.</p>
<p>As with similar mechanisms on x86 (IBT), BTI doesn't protect against return-oriented programming. To achieve full control-flow integrity on ARM systems, BTI can be combined with PAC.</p>
<h4 id="pointer-authentication-codes-pac">Pointer Authentication Codes (PAC)</h4>
<p>Pointer Authentication Codes (PAC) is a hardware-assisted mechanism on ARM64 that protects against ROP by signing return addresses.</p>
<p>When a function is called, PAC generates a cryptographic signature using:</p>
<ul>
<li>A key register (A or B) provided by the CPU.</li>
<li>A modifier, which can include context such as the stack pointer (SP) to prevent reuse of signed pointers across different functions.</li>
</ul>
<p>The return address is then signed and stored on the stack. When the function returns, the CPU verifies the signature using the same key and modifier. If the signature is invalid, the program triggers a fault, effectively preventing the execution of an attacker-controlled return address.</p>
<p>Pointer authentication takes advantage of the fact that pointers are stored in a 64-bit format, but not all those bits are needed to represent the address. The virtual address space layout is the following:</p>
<ul>
<li>kernel space : <code>0xFFF0_0000_0000_0000</code> to <code>0xFFFF_FFFF_FFFF_FFFF</code></li>
<li>user space : <code>0x0000_0000_0000_0000</code> to <code>0x00FF_FFFF_FFFF_FFFF</code></li>
</ul>
<p>Any address that falls outside of both ranges is always invalid and results in a fault if accessed.</p>
<p>You can see that any valid virtual address has its top 12 bits as <code>0x000</code> or <code>0xFFF</code>. When pointer authentication is enabled, the upper bits are used to store a signature and are not treated as part of the address. This signature is referred to as a Pointer Authentication Code (PAC). Its size can change depending on the architecture.</p>
<p>Here is an example taken from the <a href="https://developer.arm.com/documentation/102433/0200/Return-oriented-programming">ARM developer Manual - Return-Oriented Programming</a>:</p>
<div class="highlight"><pre><span></span><code><span class="nf">SIGNED</span><span class="w"> </span><span class="no">POINTER</span><span class="w"> </span><span class="err">=</span><span class="w"> </span><span class="no">PAC</span><span class="w"> </span><span class="err">|</span><span class="w"> </span><span class="no">POINTER</span>
<span class="nl">e.g:</span>
<span class="nf">PAC</span><span class="w"> </span><span class="err">=</span><span class="w"> </span><span class="mi">0x123</span>
<span class="nf">POINTER</span><span class="w"> </span><span class="err">=</span><span class="w"> </span><span class="mi">0x0007FFFF5678</span>
<span class="nf">SIGNED</span><span class="w"> </span><span class="no">POINTER</span><span class="w"> </span><span class="err">=</span><span class="w"> </span><span class="mi">0x1237FFFF5678</span>
</code></pre></div>
<p>To analyse this security mechanism, we can use our previous hello world example:</p>
<div class="highlight"><pre><span></span><code><span class="nf">STP</span><span class="w"> </span><span class="no">X29</span><span class="p">,</span><span class="w"> </span><span class="no">X30</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="no">SP</span><span class="p">,</span><span class="mi">#-0</span><span class="no">x10</span><span class="err">+</span><span class="no">var_s0</span><span class="p">]!</span>
<span class="nf">MOV</span><span class="w"> </span><span class="no">X29</span><span class="p">,</span><span class="w"> </span><span class="no">SP</span>
<span class="nf">ADRL</span><span class="w"> </span><span class="no">X0</span><span class="p">,</span><span class="w"> </span><span class="no">aHelloWorld</span><span class="w"> </span><span class="c1">; "hello world\n"</span>
<span class="nf">BL</span><span class="w"> </span><span class="no">.printf</span>
<span class="nf">LDP</span><span class="w"> </span><span class="no">X29</span><span class="p">,</span><span class="w"> </span><span class="no">X30</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="no">SP</span><span class="err">+</span><span class="no">var_s0</span><span class="p">],</span><span class="mi">#0</span><span class="no">x10</span>
<span class="nf">RET</span>
</code></pre></div>
<p>and compile it with PAC enabled:</p>
<div class="highlight"><pre><span></span><code><span class="nf">PACIASP</span>
<span class="nf">STP</span><span class="w"> </span><span class="no">X29</span><span class="p">,</span><span class="w"> </span><span class="no">X30</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="no">SP</span><span class="p">,</span><span class="mi">#-0</span><span class="no">x10</span><span class="err">+</span><span class="no">var_s0</span><span class="p">]!</span>
<span class="nf">MOV</span><span class="w"> </span><span class="no">X29</span><span class="p">,</span><span class="w"> </span><span class="no">SP</span>
<span class="nf">ADRL</span><span class="w"> </span><span class="no">X0</span><span class="p">,</span><span class="w"> </span><span class="no">aHelloWorld</span><span class="w"> </span><span class="c1">; "hello world\n"</span>
<span class="nf">BL</span><span class="w"> </span><span class="no">.printf</span>
<span class="nf">LDP</span><span class="w"> </span><span class="no">X29</span><span class="p">,</span><span class="w"> </span><span class="no">X30</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="no">SP</span><span class="err">+</span><span class="no">var_s0</span><span class="p">],</span><span class="mi">#0</span><span class="no">x10</span>
<span class="nf">RETAA</span>
</code></pre></div>
<p>As we can see, two things have changed between the two versions. A <code>PACIASP</code> instruction has been added at the beginning, and the <code>RET</code> instruction has been changed to a <code>RETAA</code> instruction.</p>
<p>The <code>PACIASP</code> instruction signs the return address with key register <code>A</code> and uses <code>SP</code> as a modifier. The <code>RETAA</code> instruction means that the return address must be checked using the key register <code>A</code>.</p>
<p>Several PAC bypasses exist, depending on how pointer authentication is implemented. In some cases, PAC is signed with a null modifier, allowing an attacker to reuse an old authenticated pointer since the signature is not bound to any execution context. Additionally, because the number of bits allocated to the PAC signature varies across architectures, it may sometimes be possible to brute-force the authentication code, among other implementation-specific weaknesses.</p>
<p>If you want to go further, here are some very interesting slides by Brandon Azad on PAC bypasses on iOS: <a href="https://bazad.github.io/presentations/BlackHat-USA-2020-iOS_Kernel_PAC_One_Year_Later.pdf">iOS Kernel PAC, One Year Later</a>.</p>
<h3 id="register-zeroing">Register Zeroing</h3>
<p>Register zeroing is a hardening technique designed to reduce the amount of useful gadgets an attacker can reuse after hijacking the control flow of a program. By explicitly clearing registers before a function returns, register zeroing limits what an attacker can carry from one gadget to the next. Instead of inheriting a rich execution context, each return leaves the program in a mostly clean state, making exploit construction significantly more complex. This helps mitigate Return-Oriented Programming exploits.</p>
<p>Clang provides this mitigation through the <code>-fzero-call-used-regs</code> compilation flag which tells the compiler to zero out certain registers before the function returns.</p>
<p>The two upper categories are:</p>
<ul>
<li><code>used</code>: Zero out used registers.</li>
<li><code>all</code>: Zero out all registers, whether used or not.</li>
</ul>
<p>The individual options are:</p>
<ul>
<li><code>skip</code>: Don't zero out any registers. This is the default.</li>
<li><code>used</code>: Zero out all used registers.</li>
<li><code>used-arg</code>: Zero out used registers that are used for arguments.</li>
<li><code>used-gpr</code>: Zero out used registers that are GPRs.</li>
<li><code>used-gpr-arg</code>: Zero out used GPRs that are used as arguments.</li>
<li><code>all</code>: Zero out all registers.</li>
<li><code>all-arg</code>: Zero out all registers used for arguments.</li>
<li><code>all-gpr</code>: Zero out all GPRs.</li>
<li><code>all-gpr-arg</code>: Zero out all GPRs used for arguments.</li>
</ul>
<blockquote>
<p><strong>General-Purpose Registers (GPR)</strong> are CPU registers that programs can use freely to hold temporary values, addresses, or intermediate results during execution; for example, on x86-64, registers like <code>RAX</code> or <code>RCX</code> can be set to zero or reused without breaking the program, while <code>RSP</code> is not freely usable because it must always point to the top of the stack.</p>
</blockquote>
<p>Let's take a look at a simple hello world program:</p>
<div class="highlight"><pre><span></span><code><span class="err">0000000000001140</span><span class="w"> </span><span class="err"><</span><span class="nf">hello_world</span><span class="err">></span><span class="p">:</span>
<span class="w"> </span><span class="err">1140:</span><span class="w"> </span><span class="err">55</span><span class="w"> </span><span class="nf">push</span><span class="w"> </span><span class="no">rbp</span>
<span class="w"> </span><span class="err">1141:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">89</span><span class="w"> </span><span class="nf">e5</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rbp</span><span class="p">,</span><span class="no">rsp</span>
<span class="w"> </span><span class="err">1144:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">8</span><span class="nf">d</span><span class="w"> </span><span class="mi">3</span><span class="no">d</span><span class="w"> </span><span class="no">b9</span><span class="w"> </span><span class="mi">0</span><span class="no">e</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">lea</span><span class="w"> </span><span class="no">rdi</span><span class="p">,[</span><span class="no">rip</span><span class="err">+</span><span class="mi">0xeb9</span><span class="p">]</span><span class="w"> </span><span class="c1"># 2004 <_IO_stdin_used+0x4></span>
<span class="w"> </span><span class="err">114</span><span class="nl">b:</span><span class="w"> </span><span class="nf">b0</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">al</span><span class="p">,</span><span class="mi">0x0</span>
<span class="w"> </span><span class="err">114</span><span class="nl">d:</span><span class="w"> </span><span class="nf">e8</span><span class="w"> </span><span class="no">de</span><span class="w"> </span><span class="no">fe</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">call</span><span class="w"> </span><span class="mh">1030</span> <span class="p"><</span><span class="no">printf@plt</span><span class="p">></span>
<span class="w"> </span><span class="err">1152:</span><span class="w"> </span><span class="err">5</span><span class="nf">d</span><span class="w"> </span><span class="no">pop</span><span class="w"> </span><span class="no">rbp</span>
<span class="w"> </span><span class="err">1153:</span><span class="w"> </span><span class="nf">c3</span><span class="w"> </span><span class="no">ret</span>
</code></pre></div>
<p>If we compile it with <code>-fzero-call-used-regs=all</code>:</p>
<div class="highlight"><pre><span></span><code><span class="err">0000000000001140</span><span class="w"> </span><span class="err"><</span><span class="nf">hello_world</span><span class="err">></span><span class="p">:</span>
<span class="w"> </span><span class="err">1140:</span><span class="w"> </span><span class="err">55</span><span class="w"> </span><span class="nf">push</span><span class="w"> </span><span class="no">rbp</span>
<span class="w"> </span><span class="err">1141:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">89</span><span class="w"> </span><span class="nf">e5</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rbp</span><span class="p">,</span><span class="no">rsp</span>
<span class="w"> </span><span class="err">1144:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">8</span><span class="nf">d</span><span class="w"> </span><span class="mi">3</span><span class="no">d</span><span class="w"> </span><span class="no">b9</span><span class="w"> </span><span class="mi">0</span><span class="no">e</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">lea</span><span class="w"> </span><span class="no">rdi</span><span class="p">,[</span><span class="no">rip</span><span class="err">+</span><span class="mi">0xeb9</span><span class="p">]</span><span class="w"> </span><span class="c1"># 2004 <_IO_stdin_used+0x4></span>
<span class="w"> </span><span class="err">114</span><span class="nl">b:</span><span class="w"> </span><span class="nf">b0</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">al</span><span class="p">,</span><span class="mi">0x0</span>
<span class="w"> </span><span class="err">114</span><span class="nl">d:</span><span class="w"> </span><span class="nf">e8</span><span class="w"> </span><span class="no">de</span><span class="w"> </span><span class="no">fe</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">call</span><span class="w"> </span><span class="mh">1030</span> <span class="p"><</span><span class="no">printf@plt</span><span class="p">></span>
<span class="w"> </span><span class="err">1152:</span><span class="w"> </span><span class="err">5</span><span class="nf">d</span><span class="w"> </span><span class="no">pop</span><span class="w"> </span><span class="no">rbp</span>
<span class="w"> </span><span class="err">1153:</span><span class="w"> </span><span class="nf">d9</span><span class="w"> </span><span class="no">ee</span><span class="w"> </span><span class="no">fldz</span>
<span class="w"> </span><span class="err">1155:</span><span class="w"> </span><span class="nf">d9</span><span class="w"> </span><span class="no">ee</span><span class="w"> </span><span class="no">fldz</span>
<span class="w"> </span><span class="err">1157:</span><span class="w"> </span><span class="nf">d9</span><span class="w"> </span><span class="no">ee</span><span class="w"> </span><span class="no">fldz</span>
<span class="w"> </span><span class="err">1159:</span><span class="w"> </span><span class="nf">d9</span><span class="w"> </span><span class="no">ee</span><span class="w"> </span><span class="no">fldz</span>
<span class="w"> </span><span class="err">115</span><span class="nl">b:</span><span class="w"> </span><span class="nf">d9</span><span class="w"> </span><span class="no">ee</span><span class="w"> </span><span class="no">fldz</span>
<span class="w"> </span><span class="err">115</span><span class="nl">d:</span><span class="w"> </span><span class="nf">d9</span><span class="w"> </span><span class="no">ee</span><span class="w"> </span><span class="no">fldz</span>
<span class="w"> </span><span class="err">115</span><span class="nl">f:</span><span class="w"> </span><span class="nf">d9</span><span class="w"> </span><span class="no">ee</span><span class="w"> </span><span class="no">fldz</span>
<span class="w"> </span><span class="err">1161:</span><span class="w"> </span><span class="nf">d9</span><span class="w"> </span><span class="no">ee</span><span class="w"> </span><span class="no">fldz</span>
<span class="w"> </span><span class="err">1163:</span><span class="w"> </span><span class="nf">dd</span><span class="w"> </span><span class="no">d8</span><span class="w"> </span><span class="no">fstp</span><span class="w"> </span><span class="no">st</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span>
<span class="w"> </span><span class="err">1165:</span><span class="w"> </span><span class="nf">dd</span><span class="w"> </span><span class="no">d8</span><span class="w"> </span><span class="no">fstp</span><span class="w"> </span><span class="no">st</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span>
<span class="w"> </span><span class="err">1167:</span><span class="w"> </span><span class="nf">dd</span><span class="w"> </span><span class="no">d8</span><span class="w"> </span><span class="no">fstp</span><span class="w"> </span><span class="no">st</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span>
<span class="w"> </span><span class="err">1169:</span><span class="w"> </span><span class="nf">dd</span><span class="w"> </span><span class="no">d8</span><span class="w"> </span><span class="no">fstp</span><span class="w"> </span><span class="no">st</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span>
<span class="w"> </span><span class="err">116</span><span class="nl">b:</span><span class="w"> </span><span class="nf">dd</span><span class="w"> </span><span class="no">d8</span><span class="w"> </span><span class="no">fstp</span><span class="w"> </span><span class="no">st</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span>
<span class="w"> </span><span class="err">116</span><span class="nl">d:</span><span class="w"> </span><span class="nf">dd</span><span class="w"> </span><span class="no">d8</span><span class="w"> </span><span class="no">fstp</span><span class="w"> </span><span class="no">st</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span>
<span class="w"> </span><span class="err">116</span><span class="nl">f:</span><span class="w"> </span><span class="nf">dd</span><span class="w"> </span><span class="no">d8</span><span class="w"> </span><span class="no">fstp</span><span class="w"> </span><span class="no">st</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span>
<span class="w"> </span><span class="err">1171:</span><span class="w"> </span><span class="nf">dd</span><span class="w"> </span><span class="no">d8</span><span class="w"> </span><span class="no">fstp</span><span class="w"> </span><span class="no">st</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span>
<span class="w"> </span><span class="err">1173:</span><span class="w"> </span><span class="err">31</span><span class="w"> </span><span class="nf">c0</span><span class="w"> </span><span class="no">xor</span><span class="w"> </span><span class="no">eax</span><span class="p">,</span><span class="no">eax</span>
<span class="w"> </span><span class="err">1175:</span><span class="w"> </span><span class="err">31</span><span class="w"> </span><span class="nf">c9</span><span class="w"> </span><span class="no">xor</span><span class="w"> </span><span class="no">ecx</span><span class="p">,</span><span class="no">ecx</span>
<span class="w"> </span><span class="err">1177:</span><span class="w"> </span><span class="err">31</span><span class="w"> </span><span class="nf">ff</span><span class="w"> </span><span class="no">xor</span><span class="w"> </span><span class="no">edi</span><span class="p">,</span><span class="no">edi</span>
<span class="w"> </span><span class="err">1179:</span><span class="w"> </span><span class="err">31</span><span class="w"> </span><span class="nf">d2</span><span class="w"> </span><span class="no">xor</span><span class="w"> </span><span class="no">edx</span><span class="p">,</span><span class="no">edx</span>
<span class="w"> </span><span class="err">117</span><span class="nl">b:</span><span class="w"> </span><span class="err">31</span><span class="w"> </span><span class="nf">f6</span><span class="w"> </span><span class="no">xor</span><span class="w"> </span><span class="no">esi</span><span class="p">,</span><span class="no">esi</span>
<span class="w"> </span><span class="err">117</span><span class="nl">d:</span><span class="w"> </span><span class="err">45</span><span class="w"> </span><span class="err">31</span><span class="w"> </span><span class="nf">c0</span><span class="w"> </span><span class="no">xor</span><span class="w"> </span><span class="no">r8d</span><span class="p">,</span><span class="no">r8d</span>
<span class="w"> </span><span class="err">1180:</span><span class="w"> </span><span class="err">45</span><span class="w"> </span><span class="err">31</span><span class="w"> </span><span class="nf">c9</span><span class="w"> </span><span class="no">xor</span><span class="w"> </span><span class="no">r9d</span><span class="p">,</span><span class="no">r9d</span>
<span class="w"> </span><span class="err">1183:</span><span class="w"> </span><span class="err">45</span><span class="w"> </span><span class="err">31</span><span class="w"> </span><span class="nf">d2</span><span class="w"> </span><span class="no">xor</span><span class="w"> </span><span class="no">r10d</span><span class="p">,</span><span class="no">r10d</span>
<span class="w"> </span><span class="err">1186:</span><span class="w"> </span><span class="err">45</span><span class="w"> </span><span class="err">31</span><span class="w"> </span><span class="nf">db</span><span class="w"> </span><span class="no">xor</span><span class="w"> </span><span class="no">r11d</span><span class="p">,</span><span class="no">r11d</span>
<span class="w"> </span><span class="err">1189:</span><span class="w"> </span><span class="err">0</span><span class="nf">f</span><span class="w"> </span><span class="mi">57</span><span class="w"> </span><span class="no">c0</span><span class="w"> </span><span class="no">xorps</span><span class="w"> </span><span class="no">xmm0</span><span class="p">,</span><span class="no">xmm0</span>
<span class="w"> </span><span class="err">118</span><span class="nl">c:</span><span class="w"> </span><span class="err">0</span><span class="nf">f</span><span class="w"> </span><span class="mi">57</span><span class="w"> </span><span class="no">c9</span><span class="w"> </span><span class="no">xorps</span><span class="w"> </span><span class="no">xmm1</span><span class="p">,</span><span class="no">xmm1</span>
<span class="w"> </span><span class="err">118</span><span class="nl">f:</span><span class="w"> </span><span class="err">0</span><span class="nf">f</span><span class="w"> </span><span class="mi">57</span><span class="w"> </span><span class="no">d2</span><span class="w"> </span><span class="no">xorps</span><span class="w"> </span><span class="no">xmm2</span><span class="p">,</span><span class="no">xmm2</span>
<span class="w"> </span><span class="err">1192:</span><span class="w"> </span><span class="err">0</span><span class="nf">f</span><span class="w"> </span><span class="mi">57</span><span class="w"> </span><span class="no">db</span><span class="w"> </span><span class="no">xorps</span><span class="w"> </span><span class="no">xmm3</span><span class="p">,</span><span class="no">xmm3</span>
<span class="w"> </span><span class="err">1195:</span><span class="w"> </span><span class="err">0</span><span class="nf">f</span><span class="w"> </span><span class="mi">57</span><span class="w"> </span><span class="no">e4</span><span class="w"> </span><span class="no">xorps</span><span class="w"> </span><span class="no">xmm4</span><span class="p">,</span><span class="no">xmm4</span>
<span class="w"> </span><span class="err">1198:</span><span class="w"> </span><span class="err">0</span><span class="nf">f</span><span class="w"> </span><span class="mi">57</span><span class="w"> </span><span class="no">ed</span><span class="w"> </span><span class="no">xorps</span><span class="w"> </span><span class="no">xmm5</span><span class="p">,</span><span class="no">xmm5</span>
<span class="w"> </span><span class="err">119</span><span class="nl">b:</span><span class="w"> </span><span class="err">0</span><span class="nf">f</span><span class="w"> </span><span class="mi">57</span><span class="w"> </span><span class="no">f6</span><span class="w"> </span><span class="no">xorps</span><span class="w"> </span><span class="no">xmm6</span><span class="p">,</span><span class="no">xmm6</span>
<span class="w"> </span><span class="err">119</span><span class="nl">e:</span><span class="w"> </span><span class="err">0</span><span class="nf">f</span><span class="w"> </span><span class="mi">57</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">xorps</span><span class="w"> </span><span class="no">xmm7</span><span class="p">,</span><span class="no">xmm7</span>
<span class="w"> </span><span class="err">11</span><span class="nl">a1:</span><span class="w"> </span><span class="err">45</span><span class="w"> </span><span class="err">0</span><span class="nf">f</span><span class="w"> </span><span class="mi">57</span><span class="w"> </span><span class="no">c0</span><span class="w"> </span><span class="no">xorps</span><span class="w"> </span><span class="no">xmm8</span><span class="p">,</span><span class="no">xmm8</span>
<span class="w"> </span><span class="err">11</span><span class="nl">a5:</span><span class="w"> </span><span class="err">45</span><span class="w"> </span><span class="err">0</span><span class="nf">f</span><span class="w"> </span><span class="mi">57</span><span class="w"> </span><span class="no">c9</span><span class="w"> </span><span class="no">xorps</span><span class="w"> </span><span class="no">xmm9</span><span class="p">,</span><span class="no">xmm9</span>
<span class="w"> </span><span class="err">11</span><span class="nl">a9:</span><span class="w"> </span><span class="err">45</span><span class="w"> </span><span class="err">0</span><span class="nf">f</span><span class="w"> </span><span class="mi">57</span><span class="w"> </span><span class="no">d2</span><span class="w"> </span><span class="no">xorps</span><span class="w"> </span><span class="no">xmm10</span><span class="p">,</span><span class="no">xmm10</span>
<span class="w"> </span><span class="err">11</span><span class="nl">ad:</span><span class="w"> </span><span class="err">45</span><span class="w"> </span><span class="err">0</span><span class="nf">f</span><span class="w"> </span><span class="mi">57</span><span class="w"> </span><span class="no">db</span><span class="w"> </span><span class="no">xorps</span><span class="w"> </span><span class="no">xmm11</span><span class="p">,</span><span class="no">xmm11</span>
<span class="w"> </span><span class="err">11</span><span class="nl">b1:</span><span class="w"> </span><span class="err">45</span><span class="w"> </span><span class="err">0</span><span class="nf">f</span><span class="w"> </span><span class="mi">57</span><span class="w"> </span><span class="no">e4</span><span class="w"> </span><span class="no">xorps</span><span class="w"> </span><span class="no">xmm12</span><span class="p">,</span><span class="no">xmm12</span>
<span class="w"> </span><span class="err">11</span><span class="nl">b5:</span><span class="w"> </span><span class="err">45</span><span class="w"> </span><span class="err">0</span><span class="nf">f</span><span class="w"> </span><span class="mi">57</span><span class="w"> </span><span class="no">ed</span><span class="w"> </span><span class="no">xorps</span><span class="w"> </span><span class="no">xmm13</span><span class="p">,</span><span class="no">xmm13</span>
<span class="w"> </span><span class="err">11</span><span class="nl">b9:</span><span class="w"> </span><span class="err">45</span><span class="w"> </span><span class="err">0</span><span class="nf">f</span><span class="w"> </span><span class="mi">57</span><span class="w"> </span><span class="no">f6</span><span class="w"> </span><span class="no">xorps</span><span class="w"> </span><span class="no">xmm14</span><span class="p">,</span><span class="no">xmm14</span>
<span class="w"> </span><span class="err">11</span><span class="nl">bd:</span><span class="w"> </span><span class="err">45</span><span class="w"> </span><span class="err">0</span><span class="nf">f</span><span class="w"> </span><span class="mi">57</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">xorps</span><span class="w"> </span><span class="no">xmm15</span><span class="p">,</span><span class="no">xmm15</span>
<span class="w"> </span><span class="err">11</span><span class="nl">c1:</span><span class="w"> </span><span class="nf">c3</span><span class="w"> </span><span class="no">ret</span>
</code></pre></div>
<p>Here we can clearly see the downside of using the <code>-fzero-call-used-regs=all</code> variant. In order to guarantee that no potentially useful state remains after the function returns, the compiler aggressively clears all classes of registers: general-purpose registers, SIMD registers (XMM), and even the x87 floating‑point stack (<code>fldz</code>, <code>fstp st(0)</code>). While this significantly reduces the availability of useful ROP gadgets, it comes at a high cost.</p>
<p>In practice, such an aggressive mode is often overkill. A more balanced approach is to use <code>-fzero-call-used-regs=used-gpr</code>, which only clears the general‑purpose registers that were actually used by the function.</p>
<p>Here is the code hardened with <code>-fzero-call-used-regs=used-gpr</code>:</p>
<div class="highlight"><pre><span></span><code><span class="err">0000000000001140</span><span class="w"> </span><span class="err"><</span><span class="nf">hello_world</span><span class="err">></span><span class="p">:</span>
<span class="w"> </span><span class="err">1140:</span><span class="w"> </span><span class="err">55</span><span class="w"> </span><span class="nf">push</span><span class="w"> </span><span class="no">rbp</span>
<span class="w"> </span><span class="err">1141:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">89</span><span class="w"> </span><span class="nf">e5</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rbp</span><span class="p">,</span><span class="no">rsp</span>
<span class="w"> </span><span class="err">1144:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">8</span><span class="nf">d</span><span class="w"> </span><span class="mi">3</span><span class="no">d</span><span class="w"> </span><span class="no">b9</span><span class="w"> </span><span class="mi">0</span><span class="no">e</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">lea</span><span class="w"> </span><span class="no">rdi</span><span class="p">,[</span><span class="no">rip</span><span class="err">+</span><span class="mi">0xeb9</span><span class="p">]</span><span class="w"> </span><span class="c1"># 2004 <_IO_stdin_used+0x4></span>
<span class="w"> </span><span class="err">114</span><span class="nl">b:</span><span class="w"> </span><span class="nf">b0</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">al</span><span class="p">,</span><span class="mi">0x0</span>
<span class="w"> </span><span class="err">114</span><span class="nl">d:</span><span class="w"> </span><span class="nf">e8</span><span class="w"> </span><span class="no">de</span><span class="w"> </span><span class="no">fe</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">call</span><span class="w"> </span><span class="mh">1030</span> <span class="p"><</span><span class="no">printf@plt</span><span class="p">></span>
<span class="w"> </span><span class="err">1152:</span><span class="w"> </span><span class="err">5</span><span class="nf">d</span><span class="w"> </span><span class="no">pop</span><span class="w"> </span><span class="no">rbp</span>
<span class="w"> </span><span class="err">1153:</span><span class="w"> </span><span class="err">31</span><span class="w"> </span><span class="nf">c0</span><span class="w"> </span><span class="no">xor</span><span class="w"> </span><span class="no">eax</span><span class="p">,</span><span class="no">eax</span>
<span class="w"> </span><span class="err">1155:</span><span class="w"> </span><span class="err">31</span><span class="w"> </span><span class="nf">ff</span><span class="w"> </span><span class="no">xor</span><span class="w"> </span><span class="no">edi</span><span class="p">,</span><span class="no">edi</span>
<span class="w"> </span><span class="err">1157:</span><span class="w"> </span><span class="nf">c3</span><span class="w"> </span><span class="no">ret</span>
</code></pre></div>
<p>As you can see, the difference is much more subtle. Only the general‑purpose registers that were actually used by the function (<code>RAX</code> and <code>RDI</code> in this case) are explicitly cleared before returning. This drastically reduces the amount of additional instructions compared to the all variant, while still removing valuable attacker‑controlled state that could otherwise be reused as part of a ROP chain.</p>
<p>If a binary relies on any library (libc, etc.) not compiled with this compilation flag, an attacker can still find a lot of gadgets. That's why this mitigation is <strong>most effective for kernel-sized or static binaries</strong>, as it does not depend on external libraries.</p>
<h2 id="defenses-against-speculative-execution-attacks_1">Defenses Against Speculative Execution Attacks</h2>
<h3 id="speculative-attacks">Speculative Attacks</h3>
<p>Modern CPUs use speculative execution to improve performance. When the processor encounters a conditional branch, it may predict the outcome and execute instructions from the predicted path before the branch condition is fully resolved. If the prediction is correct, the results are committed; if it is wrong, the architectural effects are discarded.</p>
<p>However, even when speculative execution is rolled back architecturally, microarchitectural side effects remain, such as changes in cache state. Speculation attacks exploit this behavior by deliberately causing mispredicted branches so that the CPU speculatively accesses sensitive data. An attacker can then infer this data through side-channel measurements, leading to vulnerabilities.</p>
<p>The first public traces of this class of attacks appeared in early 2018, with the coordinated <a href="https://projectzero.google/2018/01/reading-privileged-memory-with-side.html">disclosure of Spectre and Meltdown in January 2018 by Google Project Zero</a>.</p>
<h3 id="speculative-load-hardening-slh">Speculative Load Hardening (SLH)</h3>
<p>To mitigate speculative execution attacks, Clang provides the compilation flag <code>-mspeculative-load-hardening</code>. For X86 targets, this flag can be configured with two main strategies, indirect masking and fencing, but in practice, only indirect masking is commonly used for production code. <a href="https://github.com/llvm-mirror/llvm/blob/master/lib/Target/X86/X86SpeculativeLoadHardening.cpp">Other options</a> are also available, which we do not present here.</p>
<p>To analyse these mitigations, we will use the following simple C program:</p>
<div class="highlight"><pre><span></span><code><span class="cp">#include</span><span class="w"> </span><span class="cpf"><stdio.h></span>
<span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="p">(</span><span class="kt">int</span><span class="w"> </span><span class="n">argc</span><span class="p">,</span><span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="o">**</span><span class="n">argv</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">argc</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">2</span><span class="p">)</span>
<span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"%s"</span><span class="p">,</span><span class="w"> </span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]);</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div>
<p>This code is not vulnerable to any speculative execution attack. It is only used as a minimal example that contains a conditional branch.</p>
<p>Here is the corresponding assembly code:</p>
<div class="highlight"><pre><span></span><code><span class="err">0000000000001140</span><span class="w"> </span><span class="err"><</span><span class="nf">main</span><span class="err">></span><span class="p">:</span>
<span class="w"> </span><span class="err">1140:</span><span class="w"> </span><span class="err">55</span><span class="w"> </span><span class="nf">push</span><span class="w"> </span><span class="no">rbp</span>
<span class="w"> </span><span class="err">1141:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">89</span><span class="w"> </span><span class="nf">e5</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rbp</span><span class="p">,</span><span class="no">rsp</span>
<span class="w"> </span><span class="err">1144:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">83</span><span class="w"> </span><span class="nf">ec</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="no">sub</span><span class="w"> </span><span class="no">rsp</span><span class="p">,</span><span class="mi">0x10</span>
<span class="w"> </span><span class="err">1148:</span><span class="w"> </span><span class="nf">c7</span><span class="w"> </span><span class="mi">45</span><span class="w"> </span><span class="no">fc</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">DWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x4</span><span class="p">],</span><span class="mi">0x0</span>
<span class="w"> </span><span class="err">114</span><span class="nl">f:</span><span class="w"> </span><span class="err">89</span><span class="w"> </span><span class="err">7</span><span class="nf">d</span><span class="w"> </span><span class="no">f8</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">DWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x8</span><span class="p">],</span><span class="no">edi</span>
<span class="w"> </span><span class="err">1152:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">89</span><span class="w"> </span><span class="err">75</span><span class="w"> </span><span class="nf">f0</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x10</span><span class="p">],</span><span class="no">rsi</span>
<span class="w"> </span><span class="err">1156:</span><span class="w"> </span><span class="err">83</span><span class="w"> </span><span class="err">7</span><span class="nf">d</span><span class="w"> </span><span class="no">f8</span><span class="w"> </span><span class="mi">02</span><span class="w"> </span><span class="no">cmp</span><span class="w"> </span><span class="no">DWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x8</span><span class="p">],</span><span class="mi">0x2</span>
<span class="w"> </span><span class="err">115</span><span class="nl">a:</span><span class="w"> </span><span class="err">75</span><span class="w"> </span><span class="err">16</span><span class="w"> </span><span class="nf">jne</span><span class="w"> </span><span class="mh">1172</span> <span class="p"><</span><span class="no">main</span><span class="p">+</span><span class="mi">0x32</span><span class="p">></span>
<span class="w"> </span><span class="err">115</span><span class="nl">c:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">8</span><span class="nf">b</span><span class="w"> </span><span class="mi">45</span><span class="w"> </span><span class="no">f0</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rax</span><span class="p">,</span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x10</span><span class="p">]</span>
<span class="w"> </span><span class="err">1160:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">8</span><span class="nf">b</span><span class="w"> </span><span class="mi">70</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rsi</span><span class="p">,</span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rax</span><span class="err">+</span><span class="mi">0x10</span><span class="p">]</span>
<span class="w"> </span><span class="err">1164:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">8</span><span class="nf">d</span><span class="w"> </span><span class="mi">3</span><span class="no">d</span><span class="w"> </span><span class="mi">99</span><span class="w"> </span><span class="mi">0</span><span class="no">e</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">lea</span><span class="w"> </span><span class="no">rdi</span><span class="p">,[</span><span class="no">rip</span><span class="err">+</span><span class="mi">0xe99</span><span class="p">]</span><span class="w"> </span><span class="c1"># 2004 <_IO_stdin_used+0x4></span>
<span class="w"> </span><span class="err">116</span><span class="nl">b:</span><span class="w"> </span><span class="nf">b0</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">al</span><span class="p">,</span><span class="mi">0x0</span>
<span class="w"> </span><span class="err">116</span><span class="nl">d:</span><span class="w"> </span><span class="nf">e8</span><span class="w"> </span><span class="no">be</span><span class="w"> </span><span class="no">fe</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">call</span><span class="w"> </span><span class="mh">1030</span> <span class="p"><</span><span class="no">printf@plt</span><span class="p">></span>
<span class="w"> </span><span class="err">1172:</span><span class="w"> </span><span class="err">31</span><span class="w"> </span><span class="nf">c0</span><span class="w"> </span><span class="no">xor</span><span class="w"> </span><span class="no">eax</span><span class="p">,</span><span class="no">eax</span>
<span class="w"> </span><span class="err">1174:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">83</span><span class="w"> </span><span class="nf">c4</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="no">add</span><span class="w"> </span><span class="no">rsp</span><span class="p">,</span><span class="mi">0x10</span>
<span class="w"> </span><span class="err">1178:</span><span class="w"> </span><span class="err">5</span><span class="nf">d</span><span class="w"> </span><span class="no">pop</span><span class="w"> </span><span class="no">rbp</span>
<span class="w"> </span><span class="err">1179:</span><span class="w"> </span><span class="nf">c3</span><span class="w"> </span><span class="no">ret</span>
</code></pre></div>
<h4 id="indirect-masking">Indirect Masking</h4>
<p>As described in the <em>High Level Mitigation Approach</em> section of the <a href="https://llvm.org/docs/SpeculativeLoadHardening.html">LLVM documentation on Speculative Load Hardening</a>, one way to mitigate these attacks is to cause <strong>loads to be checked using branchless code</strong> to ensure that they are executing along a valid control flow path. In order to do that, Clang provides the SLH <code>-mllvm -x86-slh-indirect</code> option (default option).</p>
<p>The LLVM documentation illustrates this approach with the following example:</p>
<div class="highlight"><pre><span></span><code><span class="kt">void</span><span class="w"> </span><span class="nf">leak</span><span class="p">(</span><span class="kt">int</span><span class="w"> </span><span class="n">data</span><span class="p">);</span>
<span class="kt">void</span><span class="w"> </span><span class="nf">example</span><span class="p">(</span><span class="kt">int</span><span class="o">*</span><span class="w"> </span><span class="n">pointer1</span><span class="p">,</span><span class="w"> </span><span class="kt">int</span><span class="o">*</span><span class="w"> </span><span class="n">pointer2</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">condition</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="c1">// ... lots of code ...</span>
<span class="w"> </span><span class="n">leak</span><span class="p">(</span><span class="o">*</span><span class="n">pointer1</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="c1">// ... more code ...</span>
<span class="w"> </span><span class="n">leak</span><span class="p">(</span><span class="o">*</span><span class="n">pointer2</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="p">}</span>
</code></pre></div>
<p>This code can be transformed into a hardened version such as:</p>
<div class="highlight"><pre><span></span><code><span class="kt">uintptr_t</span><span class="w"> </span><span class="n">all_ones_mask</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">std</span><span class="o">::</span><span class="n">numerical_limits</span><span class="o"><</span><span class="kt">uintptr_t</span><span class="o">>::</span><span class="n">max</span><span class="p">();</span>
<span class="kt">uintptr_t</span><span class="w"> </span><span class="n">all_zeros_mask</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span>
<span class="kt">void</span><span class="w"> </span><span class="nf">leak</span><span class="p">(</span><span class="kt">int</span><span class="w"> </span><span class="n">data</span><span class="p">);</span>
<span class="kt">void</span><span class="w"> </span><span class="nf">example</span><span class="p">(</span><span class="kt">int</span><span class="o">*</span><span class="w"> </span><span class="n">pointer1</span><span class="p">,</span><span class="w"> </span><span class="kt">int</span><span class="o">*</span><span class="w"> </span><span class="n">pointer2</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kt">uintptr_t</span><span class="w"> </span><span class="n">predicate_state</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">all_ones_mask</span><span class="p">;</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">condition</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="c1">// Assuming ?: is implemented using branchless logic...</span>
<span class="w"> </span><span class="n">predicate_state</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">!</span><span class="n">condition</span><span class="w"> </span><span class="o">?</span><span class="w"> </span><span class="n">all_zeros_mask</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="n">predicate_state</span><span class="p">;</span>
<span class="w"> </span><span class="c1">// ... lots of code ...</span>
<span class="w"> </span><span class="c1">//</span>
<span class="w"> </span><span class="c1">// Harden the pointer so it can't be loaded</span>
<span class="w"> </span><span class="n">pointer1</span><span class="w"> </span><span class="o">&=</span><span class="w"> </span><span class="n">predicate_state</span><span class="p">;</span>
<span class="w"> </span><span class="n">leak</span><span class="p">(</span><span class="o">*</span><span class="n">pointer1</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">predicate_state</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">condition</span><span class="w"> </span><span class="o">?</span><span class="w"> </span><span class="n">all_zeros_mask</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="n">predicate_state</span><span class="p">;</span>
<span class="w"> </span><span class="c1">// ... more code ...</span>
<span class="w"> </span><span class="c1">//</span>
<span class="w"> </span><span class="c1">// Alternative: Harden the loaded value</span>
<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">value2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">*</span><span class="n">pointer2</span><span class="w"> </span><span class="o">&</span><span class="w"> </span><span class="n">predicate_state</span><span class="p">;</span>
<span class="w"> </span><span class="n">leak</span><span class="p">(</span><span class="n">value2</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="p">}</span>
</code></pre></div>
<p>The key aspect here is that the update of <code>predicate_state</code> is performed in a <strong>branchless manner</strong>. This forces the processor to wait for the branch condition to be resolved before the mask can be correctly computed. The resulting mask is then applied to either the pointer or the loaded value, ensuring that speculative execution cannot access or propagate sensitive data when the control flow is mispredicted.</p>
<p>If we compile our example using this hardening method, the resulting assembly code becomes significantly more verbose. We can see that pointers inside conditional branches are masked using <strong>conditional move instructions (<code>CMOV</code>)</strong>. The key point is that <a href="https://news.ycombinator.com/item?id=27535727"><strong>the CPU does not speculatively execute the outcome of conditional moves</strong></a>. This ensures that the pointer values are only applied once the branch condition is fully resolved, preventing speculative execution from using or leaking sensitive data along mispredicted paths.</p>
<div class="highlight"><pre><span></span><code><span class="err">0000000000001140</span><span class="w"> </span><span class="err"><</span><span class="nf">main</span><span class="err">></span><span class="p">:</span>
<span class="w"> </span><span class="err">1140:</span><span class="w"> </span><span class="err">55</span><span class="w"> </span><span class="nf">push</span><span class="w"> </span><span class="no">rbp</span>
<span class="w"> </span><span class="err">1141:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">89</span><span class="w"> </span><span class="nf">e5</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rbp</span><span class="p">,</span><span class="no">rsp</span>
<span class="w"> </span><span class="err">1144:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">83</span><span class="w"> </span><span class="nf">ec</span><span class="w"> </span><span class="mi">30</span><span class="w"> </span><span class="no">sub</span><span class="w"> </span><span class="no">rsp</span><span class="p">,</span><span class="mi">0x30</span>
<span class="w"> </span><span class="err">1148:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="nf">c7</span><span class="w"> </span><span class="no">c0</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rax</span><span class="p">,</span><span class="mi">0xffffffffffffffff</span>
<span class="w"> </span><span class="err">114</span><span class="nl">f:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">89</span><span class="w"> </span><span class="err">45</span><span class="w"> </span><span class="nf">e0</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x20</span><span class="p">],</span><span class="no">rax</span>
<span class="w"> </span><span class="err">1153:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">89</span><span class="w"> </span><span class="nf">e0</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rax</span><span class="p">,</span><span class="no">rsp</span>
<span class="w"> </span><span class="err">1156:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="nf">c1</span><span class="w"> </span><span class="no">f8</span><span class="w"> </span><span class="mi">3</span><span class="no">f</span><span class="w"> </span><span class="no">sar</span><span class="w"> </span><span class="no">rax</span><span class="p">,</span><span class="mi">0x3f</span>
<span class="w"> </span><span class="err">115</span><span class="nl">a:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">89</span><span class="w"> </span><span class="err">45</span><span class="w"> </span><span class="nf">e8</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x18</span><span class="p">],</span><span class="no">rax</span>
<span class="w"> </span><span class="err">115</span><span class="nl">e:</span><span class="w"> </span><span class="nf">c7</span><span class="w"> </span><span class="mi">45</span><span class="w"> </span><span class="no">fc</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">DWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x4</span><span class="p">],</span><span class="mi">0x0</span>
<span class="w"> </span><span class="err">1165:</span><span class="w"> </span><span class="err">89</span><span class="w"> </span><span class="err">7</span><span class="nf">d</span><span class="w"> </span><span class="no">f8</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">DWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x8</span><span class="p">],</span><span class="no">edi</span>
<span class="w"> </span><span class="err">1168:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">89</span><span class="w"> </span><span class="err">75</span><span class="w"> </span><span class="nf">f0</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x10</span><span class="p">],</span><span class="no">rsi</span>
<span class="w"> </span><span class="err">116</span><span class="nl">c:</span><span class="w"> </span><span class="err">83</span><span class="w"> </span><span class="err">7</span><span class="nf">d</span><span class="w"> </span><span class="no">f8</span><span class="w"> </span><span class="mi">02</span><span class="w"> </span><span class="no">cmp</span><span class="w"> </span><span class="no">DWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x8</span><span class="p">],</span><span class="mi">0x2</span>
<span class="w"> </span><span class="err">1170:</span><span class="w"> </span><span class="err">75</span><span class="w"> </span><span class="err">02</span><span class="w"> </span><span class="nf">jne</span><span class="w"> </span><span class="mh">1174</span> <span class="p"><</span><span class="no">main</span><span class="p">+</span><span class="mi">0x34</span><span class="p">></span>
<span class="w"> </span><span class="err">1172:</span><span class="w"> </span><span class="nf">eb</span><span class="w"> </span><span class="mi">12</span><span class="w"> </span><span class="no">jmp</span><span class="w"> </span><span class="mh">1186</span> <span class="p"><</span><span class="no">main</span><span class="p">+</span><span class="mi">0x46</span><span class="p">></span>
<span class="w"> </span><span class="err">1174:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">8</span><span class="nf">b</span><span class="w"> </span><span class="mi">4</span><span class="no">d</span><span class="w"> </span><span class="no">e0</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rcx</span><span class="p">,</span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x20</span><span class="p">]</span>
<span class="w"> </span><span class="err">1178:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">8</span><span class="nf">b</span><span class="w"> </span><span class="mi">45</span><span class="w"> </span><span class="no">e8</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rax</span><span class="p">,</span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x18</span><span class="p">]</span>
<span class="w"> </span><span class="err">117</span><span class="nl">c:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">0</span><span class="nf">f</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="no">c1</span><span class="w"> </span><span class="no">cmove</span><span class="w"> </span><span class="no">rax</span><span class="p">,</span><span class="no">rcx</span>
<span class="w"> </span><span class="err">1180:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">89</span><span class="w"> </span><span class="err">45</span><span class="w"> </span><span class="nf">d8</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x28</span><span class="p">],</span><span class="no">rax</span>
<span class="w"> </span><span class="err">1184:</span><span class="w"> </span><span class="nf">eb</span><span class="w"> </span><span class="mi">59</span><span class="w"> </span><span class="no">jmp</span><span class="w"> </span><span class="mh">11df</span> <span class="p"><</span><span class="no">main</span><span class="p">+</span><span class="mi">0x9f</span><span class="p">></span>
<span class="w"> </span><span class="err">1186:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">8</span><span class="nf">b</span><span class="w"> </span><span class="mi">45</span><span class="w"> </span><span class="no">e0</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rax</span><span class="p">,</span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x20</span><span class="p">]</span>
<span class="w"> </span><span class="err">118</span><span class="nl">a:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">8</span><span class="nf">b</span><span class="w"> </span><span class="mi">4</span><span class="no">d</span><span class="w"> </span><span class="no">e8</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rcx</span><span class="p">,</span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x18</span><span class="p">]</span>
<span class="w"> </span><span class="err">118</span><span class="nl">e:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">0</span><span class="nf">f</span><span class="w"> </span><span class="mi">45</span><span class="w"> </span><span class="no">c8</span><span class="w"> </span><span class="no">cmovne</span><span class="w"> </span><span class="no">rcx</span><span class="p">,</span><span class="no">rax</span>
<span class="w"> </span><span class="err">1192:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">8</span><span class="nf">b</span><span class="w"> </span><span class="mi">45</span><span class="w"> </span><span class="no">f0</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rax</span><span class="p">,</span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x10</span><span class="p">]</span>
<span class="w"> </span><span class="err">1196:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">8</span><span class="nf">b</span><span class="w"> </span><span class="mi">40</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rax</span><span class="p">,</span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rax</span><span class="err">+</span><span class="mi">0x10</span><span class="p">]</span>
<span class="w"> </span><span class="err">119</span><span class="nl">a:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">89</span><span class="w"> </span><span class="nf">ce</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rsi</span><span class="p">,</span><span class="no">rcx</span>
<span class="w"> </span><span class="err">119</span><span class="nl">d:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">09</span><span class="w"> </span><span class="nf">c6</span><span class="w"> </span><span class="no">or</span><span class="w"> </span><span class="no">rsi</span><span class="p">,</span><span class="no">rax</span>
<span class="w"> </span><span class="err">11</span><span class="nl">a0:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">8</span><span class="nf">d</span><span class="w"> </span><span class="mi">3</span><span class="no">d</span><span class="w"> </span><span class="mi">5</span><span class="no">d</span><span class="w"> </span><span class="mi">0</span><span class="no">e</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">lea</span><span class="w"> </span><span class="no">rdi</span><span class="p">,[</span><span class="no">rip</span><span class="err">+</span><span class="mi">0xe5d</span><span class="p">]</span><span class="w"> </span><span class="c1"># 2004 <_IO_stdin_used+0x4></span>
<span class="w"> </span><span class="err">11</span><span class="nl">a7:</span><span class="w"> </span><span class="err">31</span><span class="w"> </span><span class="nf">c0</span><span class="w"> </span><span class="no">xor</span><span class="w"> </span><span class="no">eax</span><span class="p">,</span><span class="no">eax</span>
<span class="w"> </span><span class="err">11</span><span class="nl">a9:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="nf">c1</span><span class="w"> </span><span class="no">e1</span><span class="w"> </span><span class="mi">2</span><span class="no">f</span><span class="w"> </span><span class="no">shl</span><span class="w"> </span><span class="no">rcx</span><span class="p">,</span><span class="mi">0x2f</span>
<span class="w"> </span><span class="err">11</span><span class="nl">ad:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">09</span><span class="w"> </span><span class="nf">cc</span><span class="w"> </span><span class="no">or</span><span class="w"> </span><span class="no">rsp</span><span class="p">,</span><span class="no">rcx</span>
<span class="w"> </span><span class="err">11</span><span class="nl">b0:</span><span class="w"> </span><span class="nf">e8</span><span class="w"> </span><span class="mi">7</span><span class="no">b</span><span class="w"> </span><span class="no">fe</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">call</span><span class="w"> </span><span class="mh">1030</span> <span class="p"><</span><span class="no">printf@plt</span><span class="p">></span>
<span class="w"> </span><span class="err">11</span><span class="nl">b5:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">8</span><span class="nf">b</span><span class="w"> </span><span class="mi">55</span><span class="w"> </span><span class="no">e0</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rdx</span><span class="p">,</span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x20</span><span class="p">]</span>
<span class="w"> </span><span class="err">11</span><span class="nl">b9:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">8</span><span class="nf">b</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="no">f8</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rsi</span><span class="p">,</span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rsp-0x8</span><span class="p">]</span>
<span class="w"> </span><span class="err">11</span><span class="nl">be:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">89</span><span class="w"> </span><span class="nf">e1</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rcx</span><span class="p">,</span><span class="no">rsp</span>
<span class="w"> </span><span class="err">11</span><span class="nl">c1:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="nf">c1</span><span class="w"> </span><span class="no">f9</span><span class="w"> </span><span class="mi">3</span><span class="no">f</span><span class="w"> </span><span class="no">sar</span><span class="w"> </span><span class="no">rcx</span><span class="p">,</span><span class="mi">0x3f</span>
<span class="w"> </span><span class="err">11</span><span class="nl">c5:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">8</span><span class="nf">d</span><span class="w"> </span><span class="mi">3</span><span class="no">d</span><span class="w"> </span><span class="no">e9</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">ff</span><span class="w"> </span><span class="no">lea</span><span class="w"> </span><span class="no">rdi</span><span class="p">,[</span><span class="no">rip</span><span class="err">+</span><span class="mi">0xffffffffffffffe9</span><span class="p">]</span><span class="w"> </span><span class="c1"># 11b5 <main+0x75></span>
<span class="w"> </span><span class="err">11</span><span class="nl">cc:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">39</span><span class="w"> </span><span class="nf">fe</span><span class="w"> </span><span class="no">cmp</span><span class="w"> </span><span class="no">rsi</span><span class="p">,</span><span class="no">rdi</span>
<span class="w"> </span><span class="err">11</span><span class="nl">cf:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">0</span><span class="nf">f</span><span class="w"> </span><span class="mi">45</span><span class="w"> </span><span class="no">ca</span><span class="w"> </span><span class="no">cmovne</span><span class="w"> </span><span class="no">rcx</span><span class="p">,</span><span class="no">rdx</span>
<span class="w"> </span><span class="err">11</span><span class="nl">d3:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">89</span><span class="w"> </span><span class="err">4</span><span class="nf">d</span><span class="w"> </span><span class="no">d0</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x30</span><span class="p">],</span><span class="no">rcx</span>
<span class="w"> </span><span class="err">11</span><span class="nl">d7:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">8</span><span class="nf">b</span><span class="w"> </span><span class="mi">45</span><span class="w"> </span><span class="no">d0</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rax</span><span class="p">,</span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x30</span><span class="p">]</span>
<span class="w"> </span><span class="err">11</span><span class="nl">db:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">89</span><span class="w"> </span><span class="err">45</span><span class="w"> </span><span class="nf">d8</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x28</span><span class="p">],</span><span class="no">rax</span>
<span class="w"> </span><span class="err">11</span><span class="nl">df:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">8</span><span class="nf">b</span><span class="w"> </span><span class="mi">4</span><span class="no">d</span><span class="w"> </span><span class="no">d8</span><span class="w"> </span><span class="no">mov</span><span class="w"> </span><span class="no">rcx</span><span class="p">,</span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x28</span><span class="p">]</span>
<span class="w"> </span><span class="err">11</span><span class="nl">e3:</span><span class="w"> </span><span class="err">31</span><span class="w"> </span><span class="nf">c0</span><span class="w"> </span><span class="no">xor</span><span class="w"> </span><span class="no">eax</span><span class="p">,</span><span class="no">eax</span>
<span class="w"> </span><span class="err">11</span><span class="nl">e5:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="nf">c1</span><span class="w"> </span><span class="no">e1</span><span class="w"> </span><span class="mi">2</span><span class="no">f</span><span class="w"> </span><span class="no">shl</span><span class="w"> </span><span class="no">rcx</span><span class="p">,</span><span class="mi">0x2f</span>
<span class="w"> </span><span class="err">11</span><span class="nl">e9:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">09</span><span class="w"> </span><span class="nf">cc</span><span class="w"> </span><span class="no">or</span><span class="w"> </span><span class="no">rsp</span><span class="p">,</span><span class="no">rcx</span>
<span class="w"> </span><span class="err">11</span><span class="nl">ec:</span><span class="w"> </span><span class="err">48</span><span class="w"> </span><span class="err">83</span><span class="w"> </span><span class="nf">c4</span><span class="w"> </span><span class="mi">30</span><span class="w"> </span><span class="no">add</span><span class="w"> </span><span class="no">rsp</span><span class="p">,</span><span class="mi">0x30</span>
<span class="w"> </span><span class="err">11</span><span class="nl">f0:</span><span class="w"> </span><span class="err">5</span><span class="nf">d</span><span class="w"> </span><span class="no">pop</span><span class="w"> </span><span class="no">rbp</span>
<span class="w"> </span><span class="err">11</span><span class="nl">f1:</span><span class="w"> </span><span class="nf">c3</span><span class="w"> </span><span class="no">ret</span>
<span class="w"> </span><span class="err">11</span><span class="nl">f2:</span><span class="w"> </span><span class="err">66</span><span class="w"> </span><span class="err">2</span><span class="nf">e</span><span class="w"> </span><span class="mi">0</span><span class="no">f</span><span class="w"> </span><span class="mi">1</span><span class="no">f</span><span class="w"> </span><span class="mi">84</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">cs</span><span class="w"> </span><span class="no">nop</span><span class="w"> </span><span class="no">WORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rax</span><span class="err">+</span><span class="no">rax</span><span class="p">*</span><span class="mi">1</span><span class="err">+</span><span class="mi">0x0</span><span class="p">]</span>
<span class="w"> </span><span class="err">11</span><span class="nl">f9:</span><span class="w"> </span><span class="err">00</span><span class="w"> </span><span class="err">00</span><span class="w"> </span><span class="err">00</span>
<span class="w"> </span><span class="err">11</span><span class="nl">fc:</span><span class="w"> </span><span class="err">0</span><span class="nf">f</span><span class="w"> </span><span class="mi">1</span><span class="no">f</span><span class="w"> </span><span class="mi">40</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="no">nop</span><span class="w"> </span><span class="no">DWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rax</span><span class="err">+</span><span class="mi">0x0</span><span class="p">]</span>
</code></pre></div>
<p>To better understand this mechanism, let us take a closer look at what this code does in practice.</p>
<h6 id="s-1-mask-initialization">1. Mask initialization</h6>
<div class="highlight"><pre><span></span><code><span class="nf">mov</span><span class="w"> </span><span class="no">rax</span><span class="p">,</span><span class="mi">0xffffffffffffffff</span>
<span class="nf">mov</span><span class="w"> </span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x20</span><span class="p">],</span><span class="no">rax</span><span class="w"> </span>
</code></pre></div>
<p>The compiler initializes a mask with all bits set (<code>0xFFFFFFFFFFFFFFFF</code>). This value represents a speculation-dependent mask that is later used to either preserve or deliberately corrupt pointers, ensuring that mis-speculated execution paths cannot access meaningful data.</p>
<h5 id="s-2-extracting-the-most-significant-bit-of-rsp">2. Extracting the most significant bit of RSP</h5>
<div class="highlight"><pre><span></span><code><span class="nf">mov</span><span class="w"> </span><span class="no">rax</span><span class="p">,</span><span class="no">rsp</span>
<span class="nf">sar</span><span class="w"> </span><span class="no">rax</span><span class="p">,</span><span class="mi">0x3f</span>
<span class="nf">mov</span><span class="w"> </span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x18</span><span class="p">],</span><span class="no">rax</span>
</code></pre></div>
<p>This sequence extracts the most significant bit of the stack pointer by performing an arithmetic right shift. Since RSP is expected to hold a canonical user-space address, this bit should normally be zero.</p>
<h5 id="s-3-first-conditional-branch">3. First conditional branch</h5>
<p>After the <code>if (argc == 2)</code> check, the CPU may speculatively execute one of the branches.</p>
<p>This sequence extracts the most significant bit of the stack pointer by performing an arithmetic right shift. Since RSP is expected to hold a canonical user-space address, this bit should normally be zero.</p>
<div class="highlight"><pre><span></span><code><span class="nf">mov</span><span class="w"> </span><span class="no">rax</span><span class="p">,</span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x20</span><span class="p">]</span>
<span class="nf">mov</span><span class="w"> </span><span class="no">rcx</span><span class="p">,</span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x18</span><span class="p">]</span>
<span class="nf">cmovne</span><span class="w"> </span><span class="no">rcx</span><span class="p">,</span><span class="no">rax</span>
</code></pre></div>
<p>Here, a conditional move (<code>CMOVNE</code>) is used to update the mask stored in <code>RCX</code>.</p>
<p>The important property is that <strong>the CPU does not speculate on the result of a conditional move</strong>. As a consequence, it must wait for the condition flags to be resolved before applying the move. It creates a data dependency.</p>
<p>Once the condition is resolved, speculative execution may continue, but the mask will now correctly reflect the control-flow outcome. Depending on the condition, the mask will be either <code>0xFFFF_FFFF_FFFF_FFFF</code> or <code>0x0000_0000_0000_0000</code>.</p>
<h6 id="s-4-applying-the-mask-to-the-pointer">4. Applying the mask to the pointer</h6>
<p>At this point, <code>RCX</code> holds the computed mask.</p>
<div class="highlight"><pre><span></span><code><span class="nf">mov</span><span class="w"> </span><span class="no">rax</span><span class="p">,</span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x10</span><span class="p">]</span>
<span class="nf">mov</span><span class="w"> </span><span class="no">rax</span><span class="p">,</span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rax</span><span class="err">+</span><span class="mi">0x10</span><span class="p">]</span>
<span class="nf">mov</span><span class="w"> </span><span class="no">rsi</span><span class="p">,</span><span class="no">rcx</span><span class="w"> </span><span class="c1"># copie du masque dans RSI</span>
<span class="nf">or</span><span class="w"> </span><span class="no">rsi</span><span class="p">,</span><span class="no">rax</span><span class="w"> </span><span class="c1"># OR du pointeur vers argv[1] avec notre masque.</span>
<span class="nf">lea</span><span class="w"> </span><span class="no">rdi</span><span class="p">,[</span><span class="no">rip</span><span class="err">+</span><span class="mi">0xe5d</span><span class="p">]</span><span class="w"> </span><span class="c1"># 2004 <_IO_stdin_used+0x4></span>
<span class="nf">xor</span><span class="w"> </span><span class="no">eax</span><span class="p">,</span><span class="no">eax</span>
<span class="nf">shl</span><span class="w"> </span><span class="no">rcx</span><span class="p">,</span><span class="mi">0x2f</span>
<span class="nf">or</span><span class="w"> </span><span class="no">rsp</span><span class="p">,</span><span class="no">rcx</span>
<span class="nf">call</span><span class="w"> </span><span class="mh">1030</span> <span class="p"><</span><span class="no">printf@plt</span><span class="p">></span>
</code></pre></div>
<!--
comment removed in the code, about the shl and or:
# not sure about this part, but it seems to also
# corrupt the stack pointer if the condition isn't true.
-->
<p>Here, the pointer to <code>argv[1]</code> is combined with the mask using a bitwise <code>OR</code>. If the execution path is valid, the mask preserves the pointer value. If the path is invalid due to mis-speculation, the mask corrupts the pointer, preventing it from being used to access meaningful data.</p>
<blockquote>
<p>⚠️ **Enabling this feature has a notable performance impact, but it is still less costly than inserting <code>lfence</code> barriers everywhere (see next section). An attribute<sup id="fnref:ClangAttributeReference"><a class="footnote-ref" href="#fn:ClangAttributeReference">3</a></sup> can be used to restrict hardening to specific functions, avoiding the need to slow down the entire program<sup id="fnref:gccvsclangsecurity"><a class="footnote-ref" href="#fn:gccvsclangsecurity">4</a></sup>.</p>
</blockquote>
<h4 id="lfence-barriers"><code>LFENCE</code> barriers</h4>
<p>Another way to avoid speculative execution on branches is to insert <code>LFENCE</code> instructions after all conditional jumps to act as speculation barriers. To select this strategy, Clang provides the SLH option <code>-mllvm -x86-slh-lfence</code>. The <code>LFENCE</code> instruction does not execute until all prior instructions have completed locally, and no later instruction begins execution until <code>LFENCE</code> completes. As such, it acts as a barrier because the branch will never be executed speculatively.</p>
<div class="highlight"><pre><span></span><code><span class="nf">push</span><span class="w"> </span><span class="no">rbp</span>
<span class="nf">mov</span><span class="w"> </span><span class="no">rbp</span><span class="p">,</span><span class="no">rsp</span>
<span class="nf">sub</span><span class="w"> </span><span class="no">rsp</span><span class="p">,</span><span class="mi">0x10</span>
<span class="nf">mov</span><span class="w"> </span><span class="no">DWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x4</span><span class="p">],</span><span class="mi">0x0</span>
<span class="nf">mov</span><span class="w"> </span><span class="no">DWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x8</span><span class="p">],</span><span class="no">edi</span>
<span class="nf">mov</span><span class="w"> </span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x10</span><span class="p">],</span><span class="no">rsi</span>
<span class="nf">cmp</span><span class="w"> </span><span class="no">DWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x8</span><span class="p">],</span><span class="mi">0x2</span>
<span class="nf">jne</span><span class="w"> </span><span class="mh">1175</span> <span class="p"><</span><span class="no">main</span><span class="p">+</span><span class="mi">0x35</span><span class="p">></span>
<span class="nf">lfence</span>
<span class="nf">mov</span><span class="w"> </span><span class="no">rax</span><span class="p">,</span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rbp-0x10</span><span class="p">]</span>
<span class="nf">mov</span><span class="w"> </span><span class="no">rsi</span><span class="p">,</span><span class="no">QWORD</span><span class="w"> </span><span class="no">PTR</span><span class="w"> </span><span class="p">[</span><span class="no">rax</span><span class="err">+</span><span class="mi">0x10</span><span class="p">]</span>
<span class="nf">lea</span><span class="w"> </span><span class="no">rdi</span><span class="p">,[</span><span class="no">rip</span><span class="err">+</span><span class="mi">0xe96</span><span class="p">]</span><span class="w"> </span><span class="c1"># 2004 <_IO_stdin_used+0x4></span>
<span class="nf">xor</span><span class="w"> </span><span class="no">eax</span><span class="p">,</span><span class="no">eax</span>
<span class="nf">call</span><span class="w"> </span><span class="mh">1030</span> <span class="p"><</span><span class="no">printf@plt</span><span class="p">></span>
<span class="nf">lfence</span>
<span class="nf">xor</span><span class="w"> </span><span class="no">eax</span><span class="p">,</span><span class="no">eax</span>
<span class="nf">add</span><span class="w"> </span><span class="no">rsp</span><span class="p">,</span><span class="mi">0x10</span>
<span class="nf">pop</span><span class="w"> </span><span class="no">rbp</span>
<span class="nf">ret</span>
</code></pre></div>
<blockquote>
<p>⚠️ We do not recommend using this compilation flag as its impact on program performance is very significant. It is mentioned here for completeness only.</p>
</blockquote>
<!--
It is also possible to add this assembly instruction only on branches that may be vulnerable to speculative attacks.
-->
<h2 id="conclusion_1">Conclusion</h2>
<p>Over the years, the list of recommended compiler hardening options has significantly evolved, driven by the continuous discovery of new classes of vulnerabilities and exploitation techniques. New compilation flags have been introduced to mitigate threats such as control-flow hijacking, speculative execution attacks, and information leaks at both the architectural and micro-architectural levels.</p>
<p>While these mitigations greatly improve the security posture of compiled binaries, they often come with a non-negligible performance cost. As a result, enabling them requires careful consideration and an informed trade-off between security and performance, depending on the threat model and deployment context.</p>
<p>The growing awareness that security is a first-class concern in modern software development suggests that these compiler options will continue to evolve. New mitigations will be added, existing ones will be refined, and defaults may change over time. Staying up to date with compiler developments and security recommendations is therefore essential.</p>
<p>Finally, compiler hardening options, while powerful, are not sufficient on their own. They must be combined with good programming practices, regular code reviews and audits. In addition, software protection techniques such as obfuscation, integrity checks or Runtime Application Self Protection (RASP) make the identification and exploitation of vulnerabilities more difficult and slow down attackers.</p>
<h2 id="acknowledgments">Acknowledgments</h2>
<p>We would like to thank our colleagues Laurent Laubin and Rémy Salim for their thorough review of this article as well as their suggestions.</p>
<div class="footnote">
<hr/>
<ol>
<li id="fn:RedHatDevGuideFortifySource">
<p><a href="https://developers.redhat.com/articles/2023/07/04/developers-guide-secure-coding-fortifysource">A developer’s guide to secure coding with FORTIFY_SOURCE</a>, Sandipan Roy, July 2023. <a class="footnote-backref" href="#fnref:RedHatDevGuideFortifySource" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:QualysStackClash">
<p><a href="https://blog.qualys.com/vulnerabilities-threat-research/2017/06/19/the-stack-clash">The Stack Clash</a>, Qualys Research Team, December 2022. <a class="footnote-backref" href="#fnref:QualysStackClash" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:ClangAttributeReference">
<p><a href="https://clang.llvm.org/docs/AttributeReference.html">Attributes in Clang</a>. <a class="footnote-backref" href="#fnref:ClangAttributeReference" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
<li id="fn:gccvsclangsecurity">
<p><a href="https://lwn.net/Articles/798913/">Comparing GCC and Clang security features</a>, Jonathan Corbet, September 2019. <a class="footnote-backref" href="#fnref:gccvsclangsecurity" title="Jump back to footnote 4 in the text">↩</a></p>
</li>
</ol>
</div>SCAF - Source Code Analysis Framework based on Clang - Pre-alpha preview2014-08-25T00:00:00+02:002014-08-25T00:00:00+02:00Jonathan Salwantag:blog.quarkslab.com,2014-08-25:/scaf-source-code-analysis-framework-based-on-clang-pre-alpha-preview.html<p class="first last">We recently began to work on source code analysis and the main objective was to easily collaborate on a same analysis. So, we started to develop a framework based on Clang that will be described in this blog post.</p>
<div class="section" id="introduction">
<h2 id="1-introduction">1 - Introduction</h2>
<p>There are many goals of source code analysis:</p>
<ul>
<li><p class="first">Security review</p>
</li>
<li><p class="first">Bug finding</p>
</li>
<li><p class="first">Program verification / understanding</p>
</li>
<li><p class="first">Type / Style / Property checking</p>
</li>
</ul>
<p>But, for each of these goals, when we work on source code analysis with colleagues, the main issue is how we can manage to work together and centralize
information. There are a lot of libraries for source code analysis but none of them shares nor stores data and related meta-data.</p>
<p>That is why, we created SCAF, a framework based on Clang which helps us to deal with the source code manipulation and which stores information remotely and
shares these information with others colleagues. Currently, SCAF is a pre-alpha and will be released in few days.</p>
</div>
<div class="section" id="scaf-architecture">
<h2 id="2-scaf-architecture">2 - SCAF architecture</h2>
<p>SCAF is written in Python and offers two modules, an API and a GUI. The API is used to parse source code, to save parsing information in a database and do some analyzes.
The GUI is mainly used to browse source code and to display API information but we can plug any others GUI (like a web app based on Apache/mod_python).</p>
<img alt="SCAF Architecture" class="align-center" height="200" src="resources/2014-08-25-scaf/images/scaf_architecture.png" width="500"/><p>The API uses the libClang <a class="footnote-reference" href="#footnote-1" id="footnote-reference-1">[1]</a> to parse the source code and saves the AST in the database. When the AST (or part of it) is already stored, you don't have to re-parse
the source code.
All information can be directly requested via the API, which will extract data and metadata from the database, providing helpers to use them.</p>
</div>
<div class="section" id="hook-the-make-process">
<h2 id="3-hook-the-make-process">3 - Hook the "make" process</h2>
<p>In source code analysis, one of the main issues is dealing with the context of compilation: include directories, preprocessor tricks and other obscure voodoo things
that can be part of a build chain.
When you have to parse a file, you must set up a context as close as possible the one used during compilation, otherwise you will get a lot of parsing issues.
For that, you have two options:</p>
<ul>
<li><p class="first">The hard one: Parse the "Makefile"</p>
</li>
<li><p class="first">The lazy one: Hook the make process</p>
</li>
</ul>
<p>Actually, the best way (I guess) is to hook the make process (Yes, you're right, French guys are lazy, it's well known). Via this hook, you can get all
information in a compilation context and forward everything to your parsing process.</p>
<p>SCAF offers an "agent" which hooks the make process and forwards all flags to both a compiler and the SCAF API. You just have to overload the CC variable like that:</p>
<div class="highlight"><pre><span></span>$<span class="w"> </span>make<span class="w"> </span><span class="nv">CC</span><span class="o">=</span>/usr/bin/scaf_agent<span class="w"> </span><span class="nv">SCAF_HOST</span><span class="o">=</span>localhost<span class="w"> </span><span class="nv">SCAF_LOGIN</span><span class="o">=</span>user<span class="w"> </span><span class="nv">SCAF_PASSW</span><span class="o">=</span><span class="nb">pwd</span><span class="w"> </span><span class="nv">SCAF_DB</span><span class="o">=</span>project_1
</pre></div>
<!-- -->
<p>In this case, the SCAF agent will saves all information in the "project_1" database and you don't care about flags and others compiler stuff. Then, after the
compilation is completed, you can get any source code related information directly from the database.</p>
</div>
<div class="section" id="api-under-the-hood">
<h2 id="4-api-under-the-hood">4 - API under the hood</h2>
<div class="section" id="api-classes">
<h3 id="41-api-classes">4.1 - API classes</h3>
<p>There are still lot of classes in progress or things to do like aliasing, taint, symbolic... But
currently these following classes are reliable:</p>
<ul>
<li><p class="first"><strong>SCAFDatabase</strong>: Database communication.</p>
</li>
<li><p class="first"><strong>SCAFParsing</strong>: Parsing via the libClang.</p>
</li>
<li><p class="first"><strong>SCAFAst</strong>: AST reconstruction.</p>
</li>
<li><p class="first"><strong>SCAFAnalysis</strong>: This class contains all analysis.</p>
</li>
<li><p class="first"><strong>SCAFCallsTraceAnalysis</strong>: Calls trace and xrefs.</p>
</li>
</ul>
</div>
<div class="section" id="parse-a-file-and-save-information">
<h3 id="42-parse-a-file-and-save-information">4.2 - Parse a file and save information</h3>
<p>The following example will create a new database, parse a file (with a default compilation context) and save information.</p>
<div class="highlight"><pre><span></span><span class="o">>>></span> <span class="kn">from</span> <span class="nn">SCAF.API.Analysis</span> <span class="kn">import</span> <span class="o">*</span>
<span class="o">>>></span>
<span class="o">>>></span> <span class="n">analysis</span> <span class="o">=</span> <span class="n">SCAFAnalysis</span><span class="p">(</span><span class="s1">'localhost'</span><span class="p">,</span> <span class="s1">'login'</span><span class="p">,</span> <span class="s1">'pwd'</span><span class="p">)</span>
<span class="o">>>></span> <span class="n">analysis</span><span class="o">.</span><span class="n">createNewDatabase</span><span class="p">(</span><span class="s1">'SCAF_test1'</span><span class="p">)</span>
<span class="o">>>></span> <span class="n">analysis</span><span class="o">.</span><span class="n">useDatabase</span><span class="p">(</span><span class="s1">'SCAF_test1'</span><span class="p">)</span>
<span class="o">>>></span> <span class="n">analysis</span><span class="o">.</span><span class="n">parseFile</span><span class="p">(</span><span class="s1">'/tmp/test.c'</span><span class="p">)</span>
<span class="o">>>></span> <span class="n">analysis</span><span class="o">.</span><span class="n">closeDatabase</span><span class="p">()</span>
</pre></div>
<!-- -->
<p>Then, when you want to get information back, you just have to use the "SCAF_test1" database.</p>
<div class="highlight"><pre><span></span><span class="o">>>></span> <span class="kn">from</span> <span class="nn">SCAF.API.Analysis</span> <span class="kn">import</span> <span class="o">*</span>
<span class="o">>>></span>
<span class="o">>>></span> <span class="n">analysis</span> <span class="o">=</span> <span class="n">SCAFAnalysis</span><span class="p">(</span><span class="s1">'localhost'</span><span class="p">,</span> <span class="s1">'login'</span><span class="p">,</span> <span class="s1">'pwd'</span><span class="p">)</span>
<span class="o">>>></span> <span class="n">analysis</span><span class="o">.</span><span class="n">getDatabaseListing</span><span class="p">()</span>
<span class="p">[</span><span class="s1">'SCAF_driver'</span><span class="p">,</span> <span class="s1">'SCAF_driver2'</span><span class="p">,</span> <span class="s1">'SCAF_driver_w83793'</span><span class="p">,</span> <span class="s1">'SCAF_test1'</span><span class="p">,</span> <span class="s1">'SCAF_vmndh'</span><span class="p">]</span>
<span class="o">>>></span> <span class="n">analysis</span><span class="o">.</span><span class="n">useDatabase</span><span class="p">(</span><span class="s1">'SCAF_test1'</span><span class="p">)</span>
<span class="o">>>></span> <span class="n">analysis</span><span class="o">.</span><span class="n">getNumberOfNodesSaved</span><span class="p">()</span>
<span class="mi">16</span><span class="n">L</span>
<span class="o">>>></span> <span class="n">analysis</span><span class="o">.</span><span class="n">getFilesList</span><span class="p">()</span>
<span class="p">[</span><span class="s1">'/tmp/test.c'</span><span class="p">]</span>
<span class="o">>>></span> <span class="nb">print</span> <span class="n">analysis</span><span class="o">.</span><span class="n">getFileContent</span><span class="p">(</span><span class="s1">'/tmp/test.c'</span><span class="p">)</span>
<span class="nb">int</span> <span class="n">main</span><span class="p">(</span><span class="nb">int</span> <span class="n">ac</span><span class="p">,</span> <span class="n">const</span> <span class="n">char</span> <span class="o">**</span><span class="n">av</span><span class="p">)</span>
<span class="p">{</span>
<span class="nb">int</span> <span class="n">a</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span>
<span class="nb">int</span> <span class="n">b</span> <span class="o">=</span> <span class="mi">2</span><span class="p">;</span>
<span class="k">return</span> <span class="n">a</span> <span class="o">+</span> <span class="n">b</span><span class="p">;</span>
<span class="p">}</span>
<span class="o">>>></span>
</pre></div>
<!-- -->
<p>When you parse files, these files will be stocked in the database allowing colleagues to work on the same project without any source on their disk.</p>
</div>
<div class="section" id="run-through-the-ast">
<h3 id="43-run-through-the-ast">4.3 - Run through the AST</h3>
<p>The AST reconstruction is fully transparent, at each request in the API, a node is returned and can be run through like the original AST.</p>
<p>Each node returned by the <strong>getNodes()</strong> methods is a <strong>SCAF.API.AST.SCAFAst</strong> which contains these
following attributes and methods:</p>
<ul>
<li><p class="first">self.idNode</p>
</li>
<li><p class="first">self.idNodeParent</p>
</li>
<li><p class="first">self.spelling</p>
</li>
<li><p class="first">self.kind</p>
</li>
<li><p class="first">self.type</p>
</li>
<li><p class="first">self.value</p>
</li>
<li><p class="first">self.result</p>
</li>
<li><p class="first">self.fileName</p>
</li>
<li><p class="first">self.startLine</p>
</li>
<li><p class="first">self.endLine</p>
</li>
<li><p class="first">self.startColumn</p>
</li>
<li><p class="first">self.endColumn</p>
</li>
<li><p class="first">self.getParent()</p>
</li>
<li><p class="first">self.getChildren()</p>
</li>
<li><p class="first">self.getContent()</p>
</li>
</ul>
<p>The <strong>getParent()</strong> and <strong>getChildren()</strong> methods return also a <strong>SCAF.API.AST.SCAFAst</strong> which can be used to run through the AST recursively.</p>
<div class="highlight"><pre><span></span><span class="o">>>></span> <span class="n">nodes</span> <span class="o">=</span> <span class="n">analysis</span><span class="o">.</span><span class="n">getNodes</span><span class="p">(</span><span class="n">spelling</span><span class="o">=</span><span class="s1">'main'</span><span class="p">)</span>
<span class="o">>>></span> <span class="n">nodes</span>
<span class="p">[</span><span class="o"><</span><span class="n">SCAF</span><span class="o">.</span><span class="n">API</span><span class="o">.</span><span class="n">AST</span><span class="o">.</span><span class="n">SCAFAst</span> <span class="n">instance</span> <span class="n">at</span> <span class="mh">0x7fb94bda9170</span><span class="o">></span><span class="p">]</span>
<span class="o">>>></span> <span class="n">main</span> <span class="o">=</span> <span class="n">nodes</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span>
<span class="o">>>></span> <span class="n">main</span>
<span class="o"><</span><span class="n">SCAF</span><span class="o">.</span><span class="n">API</span><span class="o">.</span><span class="n">AST</span><span class="o">.</span><span class="n">SCAFAst</span> <span class="n">instance</span> <span class="n">at</span> <span class="mh">0x7fb94bda9170</span><span class="o">></span>
<span class="o">>>></span> <span class="n">main</span><span class="o">.</span><span class="n">fileName</span>
<span class="s1">'/tmp/test.c'</span>
<span class="o">>>></span> <span class="n">main</span><span class="o">.</span><span class="n">startLine</span>
<span class="mi">1</span><span class="n">L</span>
<span class="o">>>></span> <span class="n">main</span><span class="o">.</span><span class="n">endLine</span>
<span class="mi">7</span><span class="n">L</span>
<span class="o">>>></span> <span class="n">main</span><span class="o">.</span><span class="n">spelling</span>
<span class="s1">'main'</span>
<span class="o">>>></span> <span class="n">main</span><span class="o">.</span><span class="n">kind</span>
<span class="s1">'FUNCTION_DECL'</span>
<span class="o">>>></span> <span class="n">main</span><span class="o">.</span><span class="n">type</span>
<span class="s1">'FunctionProto'</span>
</pre></div>
<!-- -->
<p>Get children from a node:</p>
<div class="highlight"><pre><span></span><span class="o">>>></span> <span class="n">main</span>
<span class="o"><</span><span class="n">SCAF</span><span class="o">.</span><span class="n">API</span><span class="o">.</span><span class="n">AST</span><span class="o">.</span><span class="n">SCAFAst</span> <span class="n">instance</span> <span class="n">at</span> <span class="mh">0x7fb94bda9170</span><span class="o">></span>
<span class="o">>>></span> <span class="n">children</span> <span class="o">=</span> <span class="n">main</span><span class="o">.</span><span class="n">getChildren</span><span class="p">()</span>
<span class="o">>>></span> <span class="n">children</span>
<span class="p">[</span><span class="o"><</span><span class="n">SCAF</span><span class="o">.</span><span class="n">API</span><span class="o">.</span><span class="n">AST</span><span class="o">.</span><span class="n">SCAFAst</span> <span class="n">instance</span> <span class="n">at</span> <span class="mh">0x7fb94bda9200</span><span class="o">></span><span class="p">,</span> <span class="o"><</span><span class="n">SCAF</span><span class="o">.</span><span class="n">API</span><span class="o">.</span><span class="n">AST</span><span class="o">.</span><span class="n">SCAFAst</span> <span class="n">instance</span> <span class="n">at</span> <span class="mh">0x7fb94bda9248</span><span class="o">></span><span class="p">,</span> <span class="o"><</span><span class="n">SCAF</span><span class="o">.</span><span class="n">API</span><span class="o">.</span><span class="n">AST</span><span class="o">.</span><span class="n">SCAFAst</span> <span class="n">instance</span> <span class="n">at</span> <span class="mh">0x7fb94bda9290</span><span class="o">></span><span class="p">]</span>
<span class="o">>>></span> <span class="k">for</span> <span class="n">child</span> <span class="ow">in</span> <span class="n">children</span><span class="p">:</span>
<span class="o">...</span> <span class="nb">print</span> <span class="n">child</span><span class="o">.</span><span class="n">kind</span><span class="p">,</span> <span class="n">child</span><span class="o">.</span><span class="n">spelling</span>
<span class="o">...</span>
<span class="n">PARM_DECL</span> <span class="n">ac</span>
<span class="n">PARM_DECL</span> <span class="n">av</span>
<span class="n">COMPOUND_STMT</span> <span class="kc">None</span>
</pre></div>
<!-- -->
<p>The <strong>COMPOUND_STMT</strong> is the statement node of the <strong>main</strong> function. Below, the complete AST of the <strong>main</strong> function.</p>
<img alt="main function - AST" class="align-center" height="500" src="resources/2014-08-25-scaf/images/ast.png" width="700"/><p>The <strong>getNodes()</strong> method can take all <strong>SCAst</strong> attributes as filters in its arguments.</p>
<pre class="code literal-block">
getNodes(kind='...', startLine='...', fileName='...', spelling='...', ...)
</pre>
<!-- -->
<p>Each node has a <strong>kind</strong> (FUNCTION_DECL, COMPOUND_STMT, etc) and the possible list of <strong>kind</strong> is:</p>
<pre class="code literal-block">
['ADDR_LABEL_EXPR', 'ANNOTATE_ATTR', 'ARRAY_SUBSCRIPT_EXPR', 'ASM_LABEL_ATTR', 'ASM_STMT', 'BINARY_OPERATOR',
'BLOCK_EXPR', 'BREAK_STMT', 'CALL_EXPR', 'CASE_STMT', 'CHARACTER_LITERAL', 'CLASS_DECL', 'CLASS_TEMPLATE',
'CLASS_TEMPLATE_PARTIAL_SPECIALIZATION', 'COMPOUND_ASSIGNMENT_OPERATOR', 'COMPOUND_LITERAL_EXPR', 'COMPOUND_STMT',
'CONDITIONAL_OPERATOR', 'CONSTRUCTOR', 'CONTINUE_STMT', 'CONVERSION_FUNCTION', 'CSTYLE_CAST_EXPR',
'CXX_ACCESS_SPEC_DECL', 'CXX_BASE_SPECIFIER', 'CXX_BOOL_LITERAL_EXPR', 'CXX_CATCH_STMT', 'CXX_CONST_CAST_EXPR',
'CXX_DELETE_EXPR', 'CXX_DYNAMIC_CAST_EXPR', 'CXX_FINAL_ATTR', 'CXX_FOR_RANGE_STMT', 'CXX_FUNCTIONAL_CAST_EXPR',
'CXX_METHOD', 'CXX_NEW_EXPR', 'CXX_NULL_PTR_LITERAL_EXPR', 'CXX_OVERRIDE_ATTR', 'CXX_REINTERPRET_CAST_EXPR',
'CXX_STATIC_CAST_EXPR', 'CXX_THIS_EXPR', 'CXX_THROW_EXPR', 'CXX_TRY_STMT', 'CXX_TYPEID_EXPR', 'CXX_UNARY_EXPR',
'DECL_REF_EXPR', 'DECL_STMT', 'DEFAULT_STMT', 'DESTRUCTOR', 'DO_STMT', 'ENUM_CONSTANT_DECL', 'ENUM_DECL',
'FIELD_DECL', 'FLOATING_LITERAL', 'FOR_STMT', 'FUNCTION_DECL', 'FUNCTION_TEMPLATE', 'GENERIC_SELECTION_EXPR',
'GNU_NULL_EXPR', 'GOTO_STMT', 'IB_ACTION_ATTR', 'IB_OUTLET_ATTR', 'IB_OUTLET_COLLECTION_ATTR', 'IF_STMT',
'IMAGINARY_LITERAL', 'INCLUSION_DIRECTIVE', 'INDIRECT_GOTO_STMT', 'INIT_LIST_EXPR', 'INTEGER_LITERAL',
'INVALID_CODE', 'INVALID_FILE', 'LABEL_REF', 'LABEL_STMT', 'LINKAGE_SPEC', 'MACRO_DEFINITION', 'MACRO_INSTANTIATION',
'MEMBER_REF', 'MEMBER_REF_EXPR', 'NAMESPACE', 'NAMESPACE_ALIAS', 'NAMESPACE_REF', 'NOT_IMPLEMENTED',
'NO_DECL_FOUND', 'NULL_STMT', 'OBJC_AT_CATCH_STMT', 'OBJC_AT_FINALLY_STMT', 'OBJC_AT_SYNCHRONIZED_STMT',
'OBJC_AT_THROW_STMT', 'OBJC_AT_TRY_STMT', 'OBJC_AUTORELEASE_POOL_STMT', 'OBJC_BRIDGE_CAST_EXPR', 'OBJC_CATEGORY_DECL',
'OBJC_CATEGORY_IMPL_DECL', 'OBJC_CLASS_METHOD_DECL', 'OBJC_CLASS_REF', 'OBJC_DYNAMIC_DECL', 'OBJC_ENCODE_EXPR',
'OBJC_FOR_COLLECTION_STMT', 'OBJC_IMPLEMENTATION_DECL', 'OBJC_INSTANCE_METHOD_DECL', 'OBJC_INTERFACE_DECL',
'OBJC_IVAR_DECL', 'OBJC_MESSAGE_EXPR', 'OBJC_PROPERTY_DECL', 'OBJC_PROTOCOL_DECL', 'OBJC_PROTOCOL_EXPR',
'OBJC_PROTOCOL_REF', 'OBJC_SELECTOR_EXPR', 'OBJC_STRING_LITERAL', 'OBJC_SUPER_CLASS_REF', 'OBJC_SYNTHESIZE_DECL',
'OVERLOADED_DECL_REF', 'PACK_EXPANSION_EXPR', 'PAREN_EXPR', 'PARM_DECL', 'PREPROCESSING_DIRECTIVE', 'RETURN_STMT',
'SEH_EXCEPT_STMT', 'SEH_FINALLY_STMT', 'SEH_TRY_STMT', 'SIZE_OF_PACK_EXPR', 'STRING_LITERAL', 'STRUCT_DECL',
'SWITCH_STMT', 'StmtExpr', 'TEMPLATE_NON_TYPE_PARAMETER', 'TEMPLATE_REF', 'TEMPLATE_TEMPLATE_PARAMETER',
'TEMPLATE_TYPE_PARAMETER', 'TRANSLATION_UNIT', 'TYPEDEF_DECL', 'TYPE_ALIAS_DECL', 'TYPE_REF', 'UNARY_OPERATOR',
'UNEXPOSED_ATTR', 'UNEXPOSED_DECL', 'UNEXPOSED_EXPR', 'UNEXPOSED_STMT', 'UNION_DECL', 'USING_DECLARATION',
'USING_DIRECTIVE', 'VAR_DECL', 'WHILE_STMT']
</pre>
<!-- -->
<p>So, for example, if you want all functions, you just have to do something like that:</p>
<div class="highlight"><pre><span></span><span class="o">>>></span> <span class="n">analysis</span> <span class="o">=</span> <span class="n">SCAFAnalysis</span><span class="p">(</span><span class="s1">'localhost'</span><span class="p">,</span> <span class="s1">'login'</span><span class="p">,</span> <span class="s1">'pwd'</span><span class="p">)</span>
<span class="o">>>></span> <span class="n">analysis</span><span class="o">.</span><span class="n">useDatabase</span><span class="p">(</span><span class="s1">'SCAF_vmndh'</span><span class="p">)</span>
<span class="o">>>></span> <span class="n">funcs</span> <span class="o">=</span> <span class="n">analysis</span><span class="o">.</span><span class="n">getNodes</span><span class="p">(</span><span class="n">kind</span><span class="o">=</span><span class="s1">'FUNCTION_DECL'</span><span class="p">)</span>
<span class="o">>>></span> <span class="nb">len</span><span class="p">(</span><span class="n">funcs</span><span class="p">)</span>
<span class="mi">275</span>
<span class="o">>>></span>
</pre></div>
<!-- -->
<p>Or, if you are looking for attributes of a specific structure:</p>
<div class="highlight"><pre><span></span><span class="o">>>></span> <span class="n">analysis</span> <span class="o">=</span> <span class="n">SCAFAnalysis</span><span class="p">(</span><span class="s1">'localhost'</span><span class="p">,</span> <span class="s1">'login'</span><span class="p">,</span> <span class="s1">'pwd'</span><span class="p">)</span>
<span class="o">>>></span> <span class="n">analysis</span><span class="o">.</span><span class="n">useDatabase</span><span class="p">(</span><span class="s1">'SCAF_driver_w83793'</span><span class="p">)</span>
<span class="o">>>></span> <span class="nb">len</span><span class="p">(</span><span class="n">analysis</span><span class="o">.</span><span class="n">getNodes</span><span class="p">(</span><span class="n">kind</span><span class="o">=</span><span class="s1">'STRUCT_DECL'</span><span class="p">))</span>
<span class="mi">948</span>
<span class="o">>>></span> <span class="n">analysis</span><span class="o">.</span><span class="n">getNodes</span><span class="p">(</span><span class="n">kind</span><span class="o">=</span><span class="s1">'STRUCT_DECL'</span><span class="p">,</span> <span class="n">spelling</span><span class="o">=</span><span class="s1">'watchdog_info'</span><span class="p">)</span>
<span class="p">[</span><span class="o"><</span><span class="n">SCAF</span><span class="o">.</span><span class="n">API</span><span class="o">.</span><span class="n">AST</span><span class="o">.</span><span class="n">SCAFAst</span> <span class="n">instance</span> <span class="n">at</span> <span class="mh">0x7fb9487dad40</span><span class="o">></span><span class="p">]</span>
<span class="o">>>></span> <span class="n">watchdog_info</span> <span class="o">=</span> <span class="n">analysis</span><span class="o">.</span><span class="n">getNodes</span><span class="p">(</span><span class="n">kind</span><span class="o">=</span><span class="s1">'STRUCT_DECL'</span><span class="p">,</span> <span class="n">spelling</span><span class="o">=</span><span class="s1">'watchdog_info'</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span>
<span class="o">>>></span> <span class="n">watchdog_info</span><span class="o">.</span><span class="n">fileName</span>
<span class="s1">'/usr/src/linux-3.14.14-gentoo/include/uapi/linux/watchdog.h'</span>
<span class="o">>>></span> <span class="n">watchdog_info</span><span class="o">.</span><span class="n">startLine</span>
<span class="mi">17</span><span class="n">L</span>
<span class="o">>>></span> <span class="n">watchdog_info</span><span class="o">.</span><span class="n">endLine</span>
<span class="mi">21</span><span class="n">L</span>
<span class="o">>>></span> <span class="n">attributes</span> <span class="o">=</span> <span class="n">watchdog_info</span><span class="o">.</span><span class="n">getChildren</span><span class="p">()</span>
<span class="o">>>></span> <span class="nb">len</span><span class="p">(</span><span class="n">attributes</span><span class="p">)</span>
<span class="mi">3</span>
<span class="o">>>></span> <span class="k">for</span> <span class="n">attr</span> <span class="ow">in</span> <span class="n">attributes</span><span class="p">:</span>
<span class="o">...</span> <span class="nb">print</span> <span class="n">attr</span><span class="o">.</span><span class="n">kind</span><span class="p">,</span> <span class="n">attr</span><span class="o">.</span><span class="n">spelling</span><span class="p">,</span> <span class="n">attr</span><span class="o">.</span><span class="n">getContent</span><span class="p">()</span>
<span class="o">...</span>
<span class="n">FIELD_DECL</span> <span class="n">options</span> <span class="n">__u32</span> <span class="n">options</span>
<span class="n">FIELD_DECL</span> <span class="n">firmware_version</span> <span class="n">__u32</span> <span class="n">firmware_version</span>
<span class="n">FIELD_DECL</span> <span class="n">identity</span> <span class="n">__u8</span> <span class="n">identity</span><span class="p">[</span><span class="mi">32</span><span class="p">]</span>
<span class="o">>>></span>
</pre></div>
<!-- -->
<p>If we do some speed benchmark about the search engine on a big source project like a Linux driver with all kernel includes.</p>
<div class="highlight"><pre><span></span><span class="ch">#!/usr/bin/env python2</span>
<span class="c1">## -*- coding: utf-8 -*-</span>
<span class="kn">from</span> <span class="nn">SCAF.API.Analysis</span> <span class="kn">import</span> <span class="o">*</span>
<span class="n">analysis</span> <span class="o">=</span> <span class="n">SCAFAnalysis</span><span class="p">(</span><span class="s1">'localhost'</span><span class="p">,</span> <span class="s1">'login'</span><span class="p">,</span> <span class="s1">'pwd'</span><span class="p">)</span>
<span class="n">analysis</span><span class="o">.</span><span class="n">useDatabase</span><span class="p">(</span><span class="s1">'SCAF_driver_w83793'</span><span class="p">)</span>
<span class="nb">print</span> <span class="s1">'Looking into </span><span class="si">%d</span><span class="s1"> files'</span> <span class="o">%</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">analysis</span><span class="o">.</span><span class="n">getFilesList</span><span class="p">()))</span>
<span class="k">for</span> <span class="n">node</span> <span class="ow">in</span> <span class="n">analysis</span><span class="o">.</span><span class="n">getNodes</span><span class="p">(</span><span class="n">spelling</span><span class="o">=</span><span class="s1">'i'</span><span class="p">):</span>
<span class="nb">print</span> <span class="n">node</span><span class="o">.</span><span class="n">kind</span><span class="p">,</span> <span class="n">node</span><span class="o">.</span><span class="n">fileName</span><span class="p">,</span> <span class="n">node</span><span class="o">.</span><span class="n">startLine</span><span class="p">,</span> <span class="n">node</span><span class="o">.</span><span class="n">startColumn</span><span class="p">,</span> <span class="n">node</span><span class="o">.</span><span class="n">getContent</span><span class="p">()</span>
</pre></div>
<!-- -->
<p>We have something like that - Tested on a Lenovo x230:</p>
<pre class="code literal-block">
$ time python2 ./test.py
Looking into 274 files
PARM_DECL /usr/src/linux-3.14.14-gentoo/include/linux/bitmap.h 115 44 int i
PARM_DECL /usr/src/linux-3.14.14-gentoo/arch/x86/include/asm/atomic.h 36 44 int i
PARM_DECL /usr/src/linux-3.14.14-gentoo/arch/x86/include/asm/atomic.h 48 31 int i
PARM_DECL /usr/src/linux-3.14.14-gentoo/arch/x86/include/asm/atomic.h 62 31 int i
PARM_DECL /usr/src/linux-3.14.14-gentoo/arch/x86/include/asm/atomic.h 78 39 int i
PARM_DECL /usr/src/linux-3.14.14-gentoo/arch/x86/include/asm/atomic.h 142 39 int i
PARM_DECL /usr/src/linux-3.14.14-gentoo/arch/x86/include/asm/atomic.h 154 37 int i
PARM_DECL /usr/src/linux-3.14.14-gentoo/arch/x86/include/asm/atomic.h 166 37 int i
PARM_DECL /usr/src/linux-3.14.14-gentoo/arch/x86/include/asm/atomic64_64.h 31 48 long i
PARM_DECL /usr/src/linux-3.14.14-gentoo/arch/x86/include/asm/atomic64_64.h 43 33 long i
PARM_DECL /usr/src/linux-3.14.14-gentoo/arch/x86/include/asm/atomic64_64.h 57 33 long i
PARM_DECL /usr/src/linux-3.14.14-gentoo/arch/x86/include/asm/atomic64_64.h 73 41 long i
PARM_DECL /usr/src/linux-3.14.14-gentoo/arch/x86/include/asm/atomic64_64.h 139 41 long i
PARM_DECL /usr/src/linux-3.14.14-gentoo/arch/x86/include/asm/atomic64_64.h 151 40 long i
PARM_DECL /usr/src/linux-3.14.14-gentoo/arch/x86/include/asm/atomic64_64.h 156 40 long i
PARM_DECL /usr/src/linux-3.14.14-gentoo/include/linux/atomic.h 115 30 int i
PARM_DECL /usr/src/linux-3.14.14-gentoo/include/asm-generic/atomic-long.h 34 54 long i
PARM_DECL /usr/src/linux-3.14.14-gentoo/include/asm-generic/atomic-long.h 55 36 long i
PARM_DECL /usr/src/linux-3.14.14-gentoo/include/asm-generic/atomic-long.h 62 36 long i
PARM_DECL /usr/src/linux-3.14.14-gentoo/include/asm-generic/atomic-long.h 69 44 long i
PARM_DECL /usr/src/linux-3.14.14-gentoo/include/asm-generic/atomic-long.h 90 44 long i
PARM_DECL /usr/src/linux-3.14.14-gentoo/include/asm-generic/atomic-long.h 97 43 long i
PARM_DECL /usr/src/linux-3.14.14-gentoo/include/asm-generic/atomic-long.h 104 43 long i
PARM_DECL /usr/src/linux-3.14.14-gentoo/arch/x86/include/asm/pvclock.h 103 34 struct pvclock_vsyscall_time_info *i
VAR_DECL /usr/src/linux-3.14.14-gentoo/include/linux/slab.h 486 3 int i = kmalloc_index(size)
PARM_DECL /usr/src/linux-3.14.14-gentoo/include/linux/klist.h 62 46 struct klist_iter *i
PARM_DECL /usr/src/linux-3.14.14-gentoo/include/linux/klist.h 63 51 struct klist_iter *i
PARM_DECL /usr/src/linux-3.14.14-gentoo/include/linux/klist.h 65 29 struct klist_iter *i
PARM_DECL /usr/src/linux-3.14.14-gentoo/include/linux/klist.h 66 38 struct klist_iter *i
VAR_DECL /usr/src/linux-3.14.14-gentoo/include/linux/dqblk_qtree.h 49 2 int i
PARM_DECL /usr/src/linux-3.14.14-gentoo/include/linux/fs.h 304 3 struct iov_iter *i
PARM_DECL /usr/src/linux-3.14.14-gentoo/include/linux/fs.h 306 3 struct iov_iter *i
PARM_DECL /usr/src/linux-3.14.14-gentoo/include/linux/fs.h 307 23 struct iov_iter *i
PARM_DECL /usr/src/linux-3.14.14-gentoo/include/linux/fs.h 308 32 struct iov_iter *i
PARM_DECL /usr/src/linux-3.14.14-gentoo/include/linux/fs.h 309 34 const struct iov_iter *i
PARM_DECL /usr/src/linux-3.14.14-gentoo/include/linux/fs.h 311 34 struct iov_iter *i
PARM_DECL /usr/src/linux-3.14.14-gentoo/include/linux/fs.h 323 37 struct iov_iter *i
VAR_DECL /secure/QuarksLab/Research/SCAF/samples/driver/w83793/w83793.c 867 3 int i = index >> 1
VAR_DECL /secure/QuarksLab/Research/SCAF/samples/driver/w83793/w83793.c 1375 4 size_t i
VAR_DECL /secure/QuarksLab/Research/SCAF/samples/driver/w83793/w83793.c 1513 2 int i
VAR_DECL /secure/QuarksLab/Research/SCAF/samples/driver/w83793/w83793.c 1580 2 int i
python2 ./test.py 0.09s user 0.01s system 70% cpu 0.145 total
$
</pre>
<!-- -->
<p>As you can see it's pretty fast and we got all nodes which are named "i" - It's different of a simple grep search which will give us all occurrences of "i".
This is the first advantage of centralized information. The second advantage is that you don't need the project sources on your disk and you can share
everything remotely without that your colleagues have to re-parse a second time the source code.</p>
</div>
</div>
<div class="section" id="calls-trace-and-xrefs">
<h2 id="5-calls-trace-and-xrefs_1">5 - Calls trace and xrefs</h2>
<p>The calls trace is also available as a tree. Each node is a <strong>SCAFCallsTraceAnalysisAst</strong> and this class contains only one attribute and
two methods:</p>
<ul>
<li><p class="first"><strong>self.spelling</strong> : function name</p>
</li>
<li><p class="first"><strong>self.getNode()</strong> : FUNCTION_DECL AST node</p>
</li>
<li><p class="first"><strong>self.getChildren()</strong> : Called functions</p>
</li>
</ul>
<p>So, you can run through the calls trace recursively via the <strong>getChildren()</strong> method and jump in the function's AST via the <strong>getNode()</strong> method.</p>
<div class="section" id="how-to-get-a-scafcallstraceanalysisast-from-a-scafast-node">
<h3 id="51-how-to-get-a-scafcallstraceanalysisast-from-a-scafast-node">5.1 - How to get a SCAFCallsTraceAnalysisAst from a SCAFAst node</h3>
<p>The <strong>getAstFromNode()</strong> from the <strong>SCAFCallsTraceAnalysis</strong> class allows to make a <strong>SCAFCallsTraceAnalysisAst</strong> from a <strong>SCAFAst</strong>.</p>
<div class="highlight"><pre><span></span><span class="o">>>></span> <span class="kn">from</span> <span class="nn">SCAF.API.Analysis</span> <span class="kn">import</span> <span class="o">*</span>
<span class="o">>>></span>
<span class="o">>>></span> <span class="n">analysis</span> <span class="o">=</span> <span class="n">SCAFAnalysis</span><span class="p">(</span><span class="s1">'localhost'</span><span class="p">,</span> <span class="s1">'login'</span><span class="p">,</span> <span class="s1">'pwd'</span><span class="p">)</span>
<span class="o">>>></span> <span class="n">analysis</span><span class="o">.</span><span class="n">useDatabase</span><span class="p">(</span><span class="s1">'SCAF_vmndh'</span><span class="p">)</span>
<span class="o">>>></span> <span class="n">main</span> <span class="o">=</span> <span class="n">analysis</span><span class="o">.</span><span class="n">getNodes</span><span class="p">(</span><span class="n">spelling</span><span class="o">=</span><span class="s1">'main'</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span>
<span class="o">>>></span> <span class="n">main</span>
<span class="o"><</span><span class="n">SCAF</span><span class="o">.</span><span class="n">API</span><span class="o">.</span><span class="n">AST</span><span class="o">.</span><span class="n">SCAFAst</span> <span class="n">instance</span> <span class="n">at</span> <span class="mh">0x7f72a2b45560</span><span class="o">></span>
<span class="o">>>></span> <span class="n">ctNode</span> <span class="o">=</span> <span class="n">analysis</span><span class="o">.</span><span class="n">callsTraceAnalysis</span><span class="o">.</span><span class="n">getAstFromNode</span><span class="p">(</span><span class="n">main</span><span class="p">)</span>
<span class="o">>>></span> <span class="n">ctNode</span>
<span class="o"><</span><span class="n">SCAF</span><span class="o">.</span><span class="n">API</span><span class="o">.</span><span class="n">CallsTraceAnalysis</span><span class="o">.</span><span class="n">SCAFCallsTraceAnalysisAst</span> <span class="n">instance</span> <span class="n">at</span> <span class="mh">0x7f72a2b45638</span><span class="o">></span>
</pre></div>
<!-- -->
</div>
<div class="section" id="display-the-called-functions">
<h3 id="52-display-the-called-functions">5.2 - Display the called functions</h3>
<p>As I already said above, you can run through the calls trace recursively via the <strong>getChildren()</strong> method
and display the function name.</p>
<div class="highlight"><pre><span></span><span class="o">>>></span> <span class="n">ctNode</span> <span class="o">=</span> <span class="n">analysis</span><span class="o">.</span><span class="n">callsTraceAnalysis</span><span class="o">.</span><span class="n">getAstFromNode</span><span class="p">(</span><span class="n">main</span><span class="p">)</span>
<span class="o">>>></span> <span class="n">ctNode</span>
<span class="o"><</span><span class="n">SCAF</span><span class="o">.</span><span class="n">API</span><span class="o">.</span><span class="n">CallsTraceAnalysis</span><span class="o">.</span><span class="n">SCAFCallsTraceAnalysisAst</span> <span class="n">instance</span> <span class="n">at</span> <span class="mh">0x7f72a2b45638</span><span class="o">></span>
<span class="o">>>></span> <span class="k">for</span> <span class="n">child</span> <span class="ow">in</span> <span class="n">ctNode</span><span class="o">.</span><span class="n">getChildren</span><span class="p">():</span>
<span class="o">...</span> <span class="nb">print</span> <span class="n">child</span>
<span class="o">...</span>
<span class="n">check_aslr_mode</span>
<span class="n">check_nx_mode</span>
<span class="n">check_pie_mode</span>
<span class="n">check_debug_mode</span>
<span class="n">check_core_mode</span>
<span class="n">check_file_mode</span>
<span class="n">syntax</span>
</pre></div>
<!-- -->
<p>Each child is also a <strong>SCAFCallsTraceAnalysisAst</strong> class. Below, a little code which run through the calls trace recursively:</p>
<pre class="code literal-block">
$ cat a.py
#!/usr/bin/env python2
## -*- coding: utf-8 -*-
from SCAF.API.Analysis import *
def throughAST(ctNode, depth):
print ("...." * depth), ctNode
for child in ctNode.getChildren():
throughAST(child, depth + 1)
if __name__ == '__main__':
analysis = SCAFAnalysis('localhost', 'login', 'pwd')
analysis.useDatabase('SCAF_vmndh')
func = analysis.getNodes(spelling='init_vmem')[1]
ctNode = analysis.callsTraceAnalysis.getAstFromNode(func)
throughAST(ctNode, 0)
$ python2 a.py
init_vmem
.... xmalloc
........ malloc
........ perror
........ exit
.... memset
.... rand_aslr
.... rand_pie
.... set_arg_in_memory
........ strlen
........ fprintf
........ exit
........ strcpy
$
</pre>
<!-- -->
<p>The visualization of this calls trace with Dot, is:</p>
<img alt="Calls Trace" class="align-center" height="200" src="resources/2014-08-25-scaf/images/callsTrace.png" width="600"/></div>
<div class="section" id="check-if-two-functions-are-linked">
<h3 id="53-check-if-two-functions-are-linked">5.3 - Check if two functions are linked</h3>
<p>The <strong>isLinked()</strong> method allows to know if two functions are linked. Example:</p>
<div class="highlight"><pre><span></span><span class="o">>>></span> <span class="n">init_vmem</span> <span class="o">=</span> <span class="n">analysis</span><span class="o">.</span><span class="n">getNodes</span><span class="p">(</span><span class="n">spelling</span><span class="o">=</span><span class="s1">'init_vmem'</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span>
<span class="o">>>></span> <span class="n">xmalloc</span> <span class="o">=</span> <span class="n">analysis</span><span class="o">.</span><span class="n">getNodes</span><span class="p">(</span><span class="n">spelling</span><span class="o">=</span><span class="s1">'xmalloc'</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span>
<span class="o">>>></span> <span class="n">set_arg</span> <span class="o">=</span> <span class="n">analysis</span><span class="o">.</span><span class="n">getNodes</span><span class="p">(</span><span class="n">spelling</span><span class="o">=</span><span class="s1">'set_arg_in_memory'</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span>
<span class="o">>>></span> <span class="n">analysis</span><span class="o">.</span><span class="n">callsTraceAnalysis</span><span class="o">.</span><span class="n">isLinked</span><span class="p">(</span><span class="n">init_vmem</span><span class="p">,</span> <span class="n">set_arg</span><span class="p">)</span>
<span class="kc">True</span>
<span class="o">>>></span> <span class="n">analysis</span><span class="o">.</span><span class="n">callsTraceAnalysis</span><span class="o">.</span><span class="n">isLinked</span><span class="p">(</span><span class="n">xmalloc</span><span class="p">,</span> <span class="n">set_arg</span><span class="p">)</span>
<span class="kc">False</span>
</pre></div>
<!-- -->
</div>
<div class="section" id="know-the-depth-between-two-functions">
<h3 id="54-know-the-depth-between-two-functions">5.4 - Know the depth between two functions</h3>
<p>In order to make some specific analyzis, we sometimes have to know the depth between two functions. The <strong>getDepths()</strong> method can give us this information:</p>
<div class="highlight"><pre><span></span><span class="o">>>></span> <span class="n">analysis</span><span class="o">.</span><span class="n">callsTraceAnalysis</span><span class="o">.</span><span class="n">getDepths</span><span class="p">(</span><span class="n">init_vmem</span><span class="p">,</span> <span class="n">set_arg</span><span class="p">)</span>
<span class="p">[</span><span class="mi">1</span><span class="p">]</span>
<span class="o">>>></span> <span class="n">analysis</span><span class="o">.</span><span class="n">callsTraceAnalysis</span><span class="o">.</span><span class="n">getDepths</span><span class="p">(</span><span class="n">init_vmem</span><span class="p">,</span> <span class="s1">'exit'</span><span class="p">)</span>
<span class="p">[</span><span class="mi">2</span><span class="p">,</span> <span class="mi">2</span><span class="p">]</span>
<span class="o">>>></span> <span class="n">analysis</span><span class="o">.</span><span class="n">callsTraceAnalysis</span><span class="o">.</span><span class="n">getDepths</span><span class="p">(</span><span class="n">main</span><span class="p">,</span> <span class="s1">'exit'</span><span class="p">)</span>
<span class="p">[</span><span class="mi">3</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">2</span><span class="p">]</span>
<span class="o">>>></span>
</pre></div>
<!-- -->
<p>In the first case, we have only one possible path with a 1 depth. In the second case, we have two possibles paths with both a depth of 2.
In the last case, we have 12 possibles paths with a least depth of 2.</p>
</div>
<div class="section" id="get-all-calls-trace-between-two-functions">
<h3 id="55-get-all-calls-trace-between-two-functions">5.5 - Get all calls trace between two functions</h3>
<p>Like the <strong>getDepths()</strong>, we can get the trace with the <strong>getTraces()</strong> method.</p>
<div class="highlight"><pre><span></span><span class="o">>>></span> <span class="n">analysis</span><span class="o">.</span><span class="n">callsTraceAnalysis</span><span class="o">.</span><span class="n">getTraces</span><span class="p">(</span><span class="n">init_vmem</span><span class="p">,</span> <span class="s1">'exit'</span><span class="p">)</span>
<span class="p">[</span>
<span class="p">[</span><span class="o"><</span><span class="n">SCAFCallsTraceAnalysisAst</span><span class="o">></span><span class="p">,</span> <span class="o"><</span><span class="n">SCAFCallsTraceAnalysisAst</span><span class="o">></span><span class="p">,</span> <span class="o"><</span><span class="n">SCAFCallsTraceAnalysisAst</span><span class="o">></span><span class="p">],</span>
<span class="p">[</span><span class="o"><</span><span class="n">SCAFCallsTraceAnalysisAst</span><span class="o">></span><span class="p">,</span> <span class="o"><</span><span class="n">SCAFCallsTraceAnalysisAst</span><span class="o">></span><span class="p">,</span> <span class="o"><</span><span class="n">SCAFCallsTraceAnalysisAst</span><span class="o">></span><span class="p">]</span>
<span class="p">]</span>
<span class="o">>>></span> <span class="nb">len</span><span class="p">(</span><span class="n">analysis</span><span class="o">.</span><span class="n">callsTraceAnalysis</span><span class="o">.</span><span class="n">getTraces</span><span class="p">(</span><span class="n">init_vmem</span><span class="p">,</span> <span class="s1">'exit'</span><span class="p">))</span>
<span class="mi">2</span>
<span class="o">>>></span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">analysis</span><span class="o">.</span><span class="n">callsTraceAnalysis</span><span class="o">.</span><span class="n">getTraces</span><span class="p">(</span><span class="n">init_vmem</span><span class="p">,</span> <span class="s1">'exit'</span><span class="p">):</span>
<span class="o">...</span> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">x</span><span class="p">:</span>
<span class="o">...</span> <span class="n">sys</span><span class="o">.</span><span class="n">stdout</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="s1">' -> '</span> <span class="o">+</span> <span class="n">c</span><span class="o">.</span><span class="n">spelling</span><span class="p">)</span>
<span class="o">...</span> <span class="n">sys</span><span class="o">.</span><span class="n">stdout</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="s1">'</span><span class="se">\n</span><span class="s1">'</span><span class="p">)</span>
<span class="o">...</span>
<span class="o">-></span> <span class="n">init_vmem</span> <span class="o">-></span> <span class="n">xmalloc</span> <span class="o">-></span> <span class="n">exit</span>
<span class="o">-></span> <span class="n">init_vmem</span> <span class="o">-></span> <span class="n">set_arg_in_memory</span> <span class="o">-></span> <span class="n">exit</span>
<span class="o">>>></span>
</pre></div>
<!-- -->
<p>Another example with all calls trace between <strong>main</strong> and <strong>exit</strong>:</p>
<div class="highlight"><pre><span></span><span class="o">>>></span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">analysis</span><span class="o">.</span><span class="n">callsTraceAnalysis</span><span class="o">.</span><span class="n">getTraces</span><span class="p">(</span><span class="n">main</span><span class="p">,</span> <span class="s1">'exit'</span><span class="p">):</span>
<span class="o">...</span> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">x</span><span class="p">:</span>
<span class="o">...</span> <span class="n">sys</span><span class="o">.</span><span class="n">stdout</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="s1">' -> '</span> <span class="o">+</span> <span class="n">c</span><span class="o">.</span><span class="n">spelling</span><span class="p">)</span>
<span class="o">...</span> <span class="n">sys</span><span class="o">.</span><span class="n">stdout</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="s1">'</span><span class="se">\n</span><span class="s1">'</span><span class="p">)</span>
<span class="o">...</span>
<span class="o">-></span> <span class="n">main</span> <span class="o">-></span> <span class="n">check_file_mode</span> <span class="o">-></span> <span class="n">check_arg_mode</span> <span class="o">-></span> <span class="n">exit</span>
<span class="o">-></span> <span class="n">main</span> <span class="o">-></span> <span class="n">check_file_mode</span> <span class="o">-></span> <span class="n">init_vmem</span> <span class="o">-></span> <span class="n">xmalloc</span> <span class="o">-></span> <span class="n">exit</span>
<span class="o">-></span> <span class="n">main</span> <span class="o">-></span> <span class="n">check_file_mode</span> <span class="o">-></span> <span class="n">init_vmem</span> <span class="o">-></span> <span class="n">set_arg_in_memory</span> <span class="o">-></span> <span class="n">exit</span>
<span class="o">-></span> <span class="n">main</span> <span class="o">-></span> <span class="n">check_file_mode</span> <span class="o">-></span> <span class="n">save_binary</span> <span class="o">-></span> <span class="n">xopen</span> <span class="o">-></span> <span class="n">exit</span>
<span class="o">-></span> <span class="n">main</span> <span class="o">-></span> <span class="n">check_file_mode</span> <span class="o">-></span> <span class="n">save_binary</span> <span class="o">-></span> <span class="n">xmalloc</span> <span class="o">-></span> <span class="n">exit</span>
<span class="o">-></span> <span class="n">main</span> <span class="o">-></span> <span class="n">check_file_mode</span> <span class="o">-></span> <span class="n">save_binary</span> <span class="o">-></span> <span class="n">xread</span> <span class="o">-></span> <span class="n">exit</span>
<span class="o">-></span> <span class="n">main</span> <span class="o">-></span> <span class="n">check_file_mode</span> <span class="o">-></span> <span class="n">parse_binary</span> <span class="o">-></span> <span class="n">error_ndh_format</span> <span class="o">-></span> <span class="n">exit</span>
<span class="o">-></span> <span class="n">main</span> <span class="o">-></span> <span class="n">check_file_mode</span> <span class="o">-></span> <span class="n">parse_binary</span> <span class="o">-></span> <span class="n">xmalloc</span> <span class="o">-></span> <span class="n">exit</span>
<span class="o">-></span> <span class="n">main</span> <span class="o">-></span> <span class="n">check_file_mode</span> <span class="o">-></span> <span class="n">execute</span> <span class="o">-></span> <span class="n">check_pc</span> <span class="o">-></span> <span class="n">segfault</span> <span class="o">-></span> <span class="n">exit</span>
<span class="o">-></span> <span class="n">main</span> <span class="o">-></span> <span class="n">check_file_mode</span> <span class="o">-></span> <span class="n">execute</span> <span class="o">-></span> <span class="n">segfault</span> <span class="o">-></span> <span class="n">exit</span>
<span class="o">-></span> <span class="n">main</span> <span class="o">-></span> <span class="n">check_file_mode</span> <span class="o">-></span> <span class="n">exit</span>
<span class="o">-></span> <span class="n">main</span> <span class="o">-></span> <span class="n">syntax</span> <span class="o">-></span> <span class="n">exit</span>
<span class="o">>>></span>
</pre></div>
<!-- -->
</div>
<div class="section" id="jump-from-scafcallstraceanalysisast-to-scafast">
<h3 id="56-jump-from-scafcallstraceanalysisast-to-scafast">5.6 - Jump from SCAFCallsTraceAnalysisAst to SCAFAst</h3>
<p>We can also jump from a <strong>SCAFCallsTraceAnalysisAst</strong> to a <strong>SCAFAst</strong> for analyze a specific function in your calls trace.
For that, you have to use the <strong>getNode()</strong> method which returns a <strong>SCAFAst</strong> node:</p>
<img alt="SCAFCallsTraceAnalysisAst to SCAFAst" class="align-center" height="400" src="resources/2014-08-25-scaf/images/callsTrace2AST.png" width="700"/></div>
<div class="section" id="xrefs">
<h3 id="57-xrefs">5.7 - Xrefs</h3>
<p>The <strong>getXRefs()</strong> returns a list of the caller functions.</p>
<div class="highlight"><pre><span></span><span class="o">>>></span> <span class="n">xrefs</span> <span class="o">=</span> <span class="n">analysis</span><span class="o">.</span><span class="n">callsTraceAnalysis</span><span class="o">.</span><span class="n">getXRefs</span><span class="p">(</span><span class="s1">'exit'</span><span class="p">)</span>
<span class="o">>>></span> <span class="nb">len</span><span class="p">(</span><span class="n">xrefs</span><span class="p">)</span>
<span class="mi">12</span>
<span class="o">>>></span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">xrefs</span><span class="p">:</span>
<span class="o">...</span> <span class="nb">print</span> <span class="n">x</span><span class="o">.</span><span class="n">spelling</span>
<span class="o">...</span>
<span class="n">set_arg_in_memory</span>
<span class="n">syntax</span>
<span class="n">segfault</span>
<span class="n">error_ndh_format</span>
<span class="n">xmalloc</span>
<span class="n">xopen</span>
<span class="n">xmmap</span>
<span class="n">xread</span>
<span class="n">console_quit</span>
<span class="n">check_arg_mode</span>
<span class="n">syscall_exit</span>
<span class="n">check_file_mode</span>
<span class="o">>>></span>
</pre></div>
<!-- -->
</div>
</div>
<div class="section" id="gui-screenshots">
<h2 id="6-gui-screenshots_1">6 - GUI Screenshots</h2>
<p>Some screenshots of the pre-alpha GUI are available here <a class="footnote-reference" href="#footnote-2" id="footnote-reference-2">[2]</a>.</p>
</div>
<div class="section" id="conclusion">
<h2 id="7-conclusion">7 - Conclusion</h2>
<p>The main objectives of SCAF are :</p>
<ul>
<li><p class="first">Allow you to work on projects which contains a lot of sources code.</p>
</li>
<li><p class="first">Offers an other abstraction which allows you to use and search some specific nodes really easily.</p>
</li>
<li><p class="first">Allow you to work on an analysis with others colleagues and share notes, favorites, information and analysis results.</p>
</li>
</ul>
<p>This project is developed in python as two distinct module (API and GUI) and the API can be plugged/used
on any others projects.</p>
<p>SCAF is still in pre-alpha and will be released in few days. Before the release, I have to make more helpers/examples
scripts and write some documentations - All the boring parts :( but the helpful parts if you plan to use/contribute to this
project.</p>
</div>
<div class="section" id="acknowledgments">
<h2 id="8-acknowledgments">8 - Acknowledgments</h2>
<p>Thanks to:</p>
<ul>
<li><p class="first">Kévin Szkudlapski, Serge Guelton, Adrien Guinet and Cédric Tessier for some source code analysis tricks and conception.</p>
</li>
<li><p class="first">Fabian 'fabs' Yamaguchi for some ideas related to his work <a class="footnote-reference" href="#footnote-3" id="footnote-reference-3">[3]</a>.</p>
</li>
</ul>
</div>
<div class="section" id="references">
<h2 id="9-references">9 - References</h2>
<table class="docutils footnote" frame="void" id="footnote-1" rules="none">
<colgroup><col class="label"/><col/></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#footnote-reference-1">[1]</a></td><td><a class="reference external" href="http://clang.llvm.org/doxygen/modules.html">http://clang.llvm.org/doxygen/modules.html</a></td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="footnote-2" rules="none">
<colgroup><col class="label"/><col/></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#footnote-reference-2">[2]</a></td><td><a class="reference external" href="http://shell-storm.org/repo/IMG/SCAF/v0.1/">http://shell-storm.org/repo/IMG/SCAF/v0.1/</a></td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="footnote-3" rules="none">
<colgroup><col class="label"/><col/></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#footnote-reference-3">[3]</a></td><td><a class="reference external" href="http://codeexploration.blogspot.fr">http://codeexploration.blogspot.fr</a></td></tr>
</tbody>
</table>
</div>