Racfed

.gitignore

@@ -24,6 +24,9 @@
 *.a
 *.lib
 
+# IR files
+*.ll
+
 # Executables
 *.exe
 *.out
@@ -62,4 +65,7 @@ examples/sha/*.csv
 examples/sha/sha
 
 examples/cuda/*.txt
-examples/cuda/add
+examples/cuda/add
+
+# IDE
+.idea/

aspis.sh

@@ -19,7 +19,8 @@ input_files=""
 clang_options=
 eddi_options="-S"
 cfc_options="-S"
-llvm_bin=$(dirname $(which clang &> /dev/null) &> /dev/null)
+llvm_bin=$(dirname "$(which clang)")
+suffix=""
 build_dir="."
 dup=0 # 0 = eddi,   1 = seddi,  2 = fdsc
 cfc=0 # 0 = cfcss,  1 = rasm,   2 = inter-rasm
@@ -65,15 +66,15 @@ title_msg () {
 
 perform_platform_checks() {
     if [ ! -f $1 ]; then
-        error_msg "\nCommand clang not found. Expected path: ${1}. Please check --llvm_bin parameter."
+        error_msg "\nCommand clang not found. Expected path: ${1}. Please check --llvm-bin parameter."
     fi
 
     if [ ! -f $2 ]; then
-        error_msg "\nCommand opt not found. Expected path: ${2}. Please check --llvm_bin parameter."
+        error_msg "\nCommand opt not found. Expected path: ${2}. Please check --llvm-bin parameter."
     fi
 
     if [ ! -f $3 ]; then
-        error_msg "\nCommand llvm-link not found. Expected path: ${3}. Please check --llvm_bin parameter."
+        error_msg "\nCommand llvm-link not found. Expected path: ${3}. Please check --llvm-bin parameter."
     fi
 
 }
@@ -112,12 +113,14 @@ parse_commands() {
         -o <file>           Write the compilation output to <file>.
         --build-dir <path>  Specify the directory where to place all the build
                             files.
-        --llvm-bin <path>   Set the path to the llvm binaries (clang, opt, 
+        --llvm-bin  <path>  Set the path to the llvm binaries (clang, opt, 
                             llvm-link) to <path>.
-        --exclude <file>    Set the files to exclude from the compilation. The 
+	--suffix    <value> Set the suffix of the binary to use (clang, opt, 
+			    llvm-link) to <value>.
+        --exclude   <file>  Set the files to exclude from the compilation. The 
                             content of <file> is the list of files to 
                             exclude, one for each line (wildcard * allowed).
-        --asmfiles <file>   Defines the set of assembly files required for the
+        --asmfiles  <file>  Defines the set of assembly files required for the
                             compilation. The content of <file> is the list of 
                             assembly files to pass to the linker at compilation 
                             termination, one for each line (wildcard * allowed).
@@ -128,12 +131,13 @@ parse_commands() {
         --eddi              (Default) Enable EDDI.
         --seddi             Enable Selective-EDDI.
         --fdsc              Enable Full Duplication with Selective Checking.
-        --no-dup            Completely disable data duplication
+        --no-dup            Completely disable data duplication.
 
         --cfcss             (Default) Enable CFCSS.
         --rasm              Enable RASM.
         --inter-rasm        Enable inter-RASM with the default signature -0xDEAD.
-        --no-cfc            Completely disable control-flow checking
+	--racfed            Enable RACFED.
+        --no-cfc            Completely disable control-flow checking.
 
     Hardening options:
         --alternate-memmap  When set, alternates the definition of original and 
@@ -155,16 +159,25 @@ EOF
                         if [[ ${#opt} -eq 2 ]]; then
                             parse_state=1;
                         else
-                            output_file=`echo "$opt" | cut -b 2`;
+                            output_file=${opt##"-o"};
                         fi;
                         ;;
                     --llvm-bin*)
+			echo ${#opt}
                         if [[ ${#opt} -eq 10 ]]; then
                             parse_state=3;
                         else
-                            llvm_bin=`echo "$opt" | cut -b 10`;
+                            llvm_bin=${opt##"--llvm-bin="};
                         fi;
                         ;;
+		    --suffix*)
+			if [[ ${#opt} -eq 8 ]]; then
+                            parse_state=7;
+			else
+			    suffix='-';
+			    suffix+=${opt##"--suffix="};
+			fi;
+			;;
                     --exclude*)
                         if [[ ${#opt} -eq 9 ]]; then
                             parse_state=4;
@@ -207,6 +220,9 @@ EOF
                     --inter-rasm)
                         cfc=2
                         ;;
+                    --racfed)
+                        cfc=3
+                        ;;
                     --no-cfc)
                         cfc=-1
                         ;;
@@ -267,6 +283,10 @@ EOF
                 build_dir="$opt";
                 parse_state=0;
                 ;;
+	    7)
+		suffix="$opt";
+		parse_state=0;
+		;;
         esac
     done
 
@@ -291,9 +311,9 @@ EOF
         }
     fi
 
-    CLANG="${llvm_bin}/clang" 
-    OPT="${llvm_bin}/opt"
-    LLVM_LINK="${llvm_bin}/llvm-link"
+    CLANG="${llvm_bin}/clang${suffix}" 
+    OPT="${llvm_bin}/opt${suffix}"
+    LLVM_LINK="${llvm_bin}/llvm-link${suffix}"
 
     if [[ -n "$config_file" ]]; then
         CLANG="${CLANG} --config ${config_file}"
@@ -319,19 +339,19 @@ run_aspis() {
     done
 
     ## LINK & PREPROCESS
-    exe $LLVM_LINK $build_dir/*.ll -o $build_dir/out.ll -opaque-pointers
+    exe $LLVM_LINK $build_dir/*.ll -o $build_dir/out.ll
 
     success_msg "Emitted and linked IR."
 
     if [[ $debug_enabled == false ]]; then
-        exe $OPT --enable-new-pm=1 --passes="strip" $build_dir/out.ll -o $build_dir/out.ll
+        exe $OPT --passes="strip" $build_dir/out.ll -o $build_dir/out.ll
         echo "  Debug mode disabled, stripped debug symbols."
     fi
-
-        exe $OPT --enable-new-pm=1 --passes="lowerswitch" $build_dir/out.ll -o $build_dir/out.ll
+    
+    exe $OPT --passes="lower-switch" $build_dir/out.ll -o $build_dir/out.ll
 
     ## FuncRetToRef
-    if [[ dup != -1 ]]; then
+    if [[ dup -ne -1 ]]; then
         exe $OPT --enable-new-pm=1 -load-pass-plugin=$DIR/build/passes/libEDDI.so --passes="func-ret-to-ref" $build_dir/out.ll -o $build_dir/out.ll
     fi;
 
@@ -352,19 +372,21 @@ run_aspis() {
     esac
     success_msg "Applied data protection passes."
 
-    exe $OPT --enable-new-pm=1 --passes="simplifycfg" $build_dir/out.ll -o $build_dir/out.ll
-
+    exe $OPT --passes="simplifycfg" $build_dir/out.ll -o $build_dir/out.ll
 
     ## CONTROL-FLOW CHECKING
     case $cfc in
         0) 
-            exe $OPT --enable-new-pm=1 -load-pass-plugin=$DIR/build/passes/libCFCSS.so --passes="cfcss-verify" $build_dir/out.ll -o $build_dir/out.ll $cfc_options
+            exe $OPT -load-pass-plugin=$DIR/build/passes/libCFCSS.so --passes="cfcss-verify" $build_dir/out.ll -o $build_dir/out.ll $cfc_options
             ;;
         1) 
-            exe $OPT --enable-new-pm=1 -load-pass-plugin=$DIR/build/passes/libRASM.so --passes="rasm-verify" $build_dir/out.ll -o $build_dir/out.ll $cfc_options
+            exe $OPT -load-pass-plugin=$DIR/build/passes/libRASM.so --passes="rasm-verify" $build_dir/out.ll -o $build_dir/out.ll $cfc_options
             ;;
         2) 
-            exe $OPT --enable-new-pm=1 -load-pass-plugin=$DIR/build/passes/libINTER_RASM.so --passes="rasm-verify" $build_dir/out.ll -o $build_dir/out.ll $cfc_options
+            exe $OPT -load-pass-plugin=$DIR/build/passes/libINTER_RASM.so --passes="rasm-verify" $build_dir/out.ll -o $build_dir/out.ll $cfc_options
+            ;;
+        3)
+            exe $OPT -load-pass-plugin=$DIR/build/passes/libRACFED.so --passes="racfed-verify" $build_dir/out.ll -o $build_dir/out.ll $cfc_options
             ;;
         *)
             echo -e "\t--no-cfc specified!"
@@ -393,8 +415,8 @@ run_aspis() {
     success_msg "Linked excluded files to the compilation."
 
     ## DuplicateGlobals
-    if [[ dup != -1 ]]; then
-        exe $OPT --enable-new-pm=1 -load-pass-plugin=$DIR/build/passes/libEDDI.so --passes="duplicate-globals" $build_dir/out.ll -o $build_dir/out.ll -S $eddi_options
+    if [[ dup -ne -1 ]]; then
+        exe $OPT -load-pass-plugin=$DIR/build/passes/libEDDI.so --passes="duplicate-globals" $build_dir/out.ll -o $build_dir/out.ll -S $eddi_options
         success_msg "Duplicated globals."
     fi;
 
@@ -411,7 +433,7 @@ run_aspis() {
     exe $OPT $build_dir/out.ll -o $build_dir/out.ll -S $opt_flags
     if [[ "$enable_profiling" == "true" ]]; then
         title_msg "ASPIS Profiling"
-        exe $OPT --enable-new-pm=1 -load-pass-plugin=$DIR/build/passes/libPROFILER.so --passes="aspis-insert-check-profile" $build_dir/out.ll -o $build_dir/out.ll -S
+        exe $OPT -load-pass-plugin=$DIR/build/passes/libPROFILER.so --passes="aspis-insert-check-profile" $build_dir/out.ll -o $build_dir/out.ll -S
         success_msg "Code instrumented."
 
         exe $CLANG $clang_options $build_dir/out.ll $asm_files -o $build_dir/$output_file 
@@ -421,7 +443,7 @@ run_aspis() {
         success_msg "Profiled code executed."
 
         echo -e "Analyzing..."
-        exe $OPT --enable-new-pm=1 -load-pass-plugin=$DIR/build/passes/libPROFILER.so --passes="aspis-check-profile" $build_dir/out.ll -o $build_dir/out.ll -S
+        exe $OPT -load-pass-plugin=$DIR/build/passes/libPROFILER.so --passes="aspis-check-profile" $build_dir/out.ll -o $build_dir/out.ll -S
         exit
     fi;
 
@@ -437,6 +459,6 @@ run_aspis() {
     success_msg "Done!"
 }
 
-parse_commands $@
+parse_commands "$@"
 perform_platform_checks $CLANG $OPT $LLVM_LINK
-run_aspis
+run_aspis

passes/ASPIS.h

@@ -19,7 +19,7 @@ using namespace llvm;
 // DATA PROTECTION
 class FuncRetToRef : public PassInfoMixin<FuncRetToRef> {
     private:
-        Function* updateFnSignature(Function &Fn, Module &Md);
+        void updateFnSignature(Function &Fn, Module &Md);
         void updateRetInstructions(Function &Fn);
         void updateFunctionCalls(Function &Fn, Function &NewFn);
 
@@ -156,4 +156,46 @@ class RASM : public PassInfoMixin<RASM> {
 
 };
 
-#endif
+class RACFED : public PassInfoMixin<RACFED> {
+private:
+  std::map<Value *, StringRef> FuncAnnotations;
+  std::map<BasicBlock *, BasicBlock *> NewBBs;
+  std::unordered_map<BasicBlock *, uint32_t> compileTimeSig;
+  std::unordered_map<BasicBlock *, uint32_t> subRanPrevVals;
+  std::unordered_map<BasicBlock *, uint64_t> sumIntraInstruction;
+
+
+#if (LOG_COMPILED_FUNCS == 1)
+  std::set<Function *> CompiledFuncs;
+#endif
+
+  // -- INITIALIZE BLOCKS --
+  void initializeBlocksSignatures(Function &Fn);
+  // -- UPDATE COMPILE SIG RANDOM --
+  void updateCompileSigRandom(Function &Fn,
+			      GlobalVariable *RuntimeSigGV, Type *IntType);
+
+  // --- CHECK BLOCKS AT JUMP END ---
+  void checkJumpSignature(BasicBlock &BB,
+			  GlobalVariable *RuntimeSigGV, Type *IntType,
+			  BasicBlock &ErrBB);
+
+  Value *getCondition(Instruction &I);
+
+  // --- UPDATE BRANCH SIGNATURE BEFORE JUMP ---
+  void checkBranches(Module &Md, BasicBlock &BB, GlobalVariable *RuntimeSigGV, 
+		     Type *IntType);
+
+  // --- UPDATE RETURN VALUE AND CHECK ---
+  Instruction *checkReturnValue(BasicBlock &BB, 
+			GlobalVariable *RuntimeSigGV, 
+			Type *IntType, BasicBlock &ErrBB,
+			Value *BckupRunSig);
+
+public:
+  PreservedAnalyses run(Module &Md, ModuleAnalysisManager &);
+
+  static bool isRequired() { return true; }
+};
+
+#endif

passes/CMakeLists.txt

@@ -49,6 +49,12 @@ add_library(INTER_RASM SHARED
 )
 target_compile_definitions(INTER_RASM PRIVATE INTRA_FUNCTION_CFC=1)
 
+# RACFED
+add_library(RACFED SHARED
+        RACFED.cpp
+        Utils/Utils.cpp
+)
+
 add_library(PROFILER SHARED
     Profiling/ASPISCheckProfiler.cpp
     Utils/Utils.cpp