Grrr-security

DefconRome livecoding repository. We will implement a code reuse mitigation inspired by RAP from grsecurity as an LLVM IR pass.

slides here

Build

Run ./install_llvm12.sh to install the last stable version of LLVM12 if it is not already present in your system.

Fill the pass in RAP/RAP.cpp and build it with LLVM_DIR=<path to llvm12> ./build.sh. The default path for LLVM12 should be /usr/lib/llvm-12, obtain the path running: llvm-config-12 --prefix.

Compile a sample program using the rap pass with LLVM_DIR=<path to llvm12> ./test.sh.

LLVM resources

Writing an LLVM pass

Existing LLVM passes

LLVM IR Language reference

Common LLVM functions/routines

Iterate over Functions in a Module

for (Function &F : M) {
    [...]
}

Iterate over Basic Blocks in a Function

for (BasicBlock &BB: F) {
    [...]
}

Iterate over Instructions in a Basic Block

for (Instruction &I: BB) {
    [...]
}

NOTICE: never change the items on which you are iterating

Add instruction INSTR with operands OPERANDS before Instruction I or at the end of Basic Block BB

IRBuilder<> Builder(I or BB);
Value * V = Builder.CreateINSTR(OPERANDS, ...);

--> you can keep adding instructions
Value * V2 = Builder.CreateINSTR2(OPERANDS2, ...);
Value * V3 = Builder.CreateINSTR3(OPERANDS3, ...);

--> you can combine them
Value * V4 = Builder.CreateINSTR4(V2, V3);

Get basic types

Type::getInt64Ty(M.getContext());
Type::getInt32Ty(M.getContext());
Type::getInt16Ty(M.getContext());

Types have no signs, operations have

Get an existing global variable, or create a new one if it does not exist

Constant *G = M.getOrInsertGlobal(NAME, TYPE)

Globals are constants as they represent an address. To access/moddify the value use load or store operations.

IRBuilder<> Builder(BB);
Value *GlobalValue = Builder.CreateLoad(G);
Builder.CreateStore(NewValue, G);

0xcapp3/grrr-security