[clang][CodeGen] Software Bill of Mitigations Metadata

The goal of this stack is to create a high fidelity mapping of mitigations to their possible insertion points and their actual insertion points. This would let us track where we do and don't have mitigations rather than the current approach of tracking where we have the flag.

There are some challenges posed by this like:
- Some mitigations are not emitted by the compiler, but the preprocessor
- Some mitigations are lowered later during IR -> MIR (stack cookies)

Author: matthewlevy97

clang/include/clang/Basic/CodeGenOptions.def

@@ -191,6 +191,7 @@ CODEGENOPT(NoTypeCheck       , 1, 0) ///< Set when -Wa,--no-type-check is enable
 CODEGENOPT(MisExpect         , 1, 0) ///< Set when -Wmisexpect is enabled
 CODEGENOPT(EnableSegmentedStacks , 1, 0) ///< Set when -fsplit-stack is enabled.
 CODEGENOPT(StackClashProtector, 1, 0) ///< Set when -fstack-clash-protection is enabled.
+CODEGENOPT(MitigationAnalysis, 1, 0) ///< Set when -fmitigation-analysis is enabled.
 CODEGENOPT(NoImplicitFloat   , 1, 0) ///< Set when -mno-implicit-float is enabled.
 CODEGENOPT(NullPointerIsValid , 1, 0) ///< Assume Null pointer deference is defined.
 CODEGENOPT(OpenCLCorrectlyRoundedDivSqrt, 1, 0) ///< -cl-fp32-correctly-rounded-divide-sqrt

clang/include/clang/Driver/Options.td

@@ -3891,6 +3891,12 @@ defm split_stack : BoolFOption<"split-stack",
   CodeGenOpts<"EnableSegmentedStacks">, DefaultFalse,
   NegFlag<SetFalse, [], [ClangOption], "Wouldn't use segmented stack">,
   PosFlag<SetTrue, [], [ClangOption, CC1Option], "Use segmented stack">>;
+defm mitigation_analysis : BoolFOption<"mitigation-analysis",
+  CodeGenOpts<"MitigationAnalysis">, DefaultFalse,
+  PosFlag<SetTrue, [], [ClangOption, CC1Option], "Enable">,
+  NegFlag<SetFalse, [], [ClangOption], "Disable">,
+  BothFlags<[], [ClangOption], " mitigation analysis">>,
+  DocBrief<"Instrument mitigations (CFI, Stack Protectors, Auto-Var-Init, StackClashProtection) to analyze their coverage">;
 def fstack_protector_all : Flag<["-"], "fstack-protector-all">, Group<f_Group>,
   HelpText<"Enable stack protectors for all functions">;
 defm stack_clash_protection : BoolFOption<"stack-clash-protection",

clang/lib/CodeGen/CGBuiltin.cpp

@@ -21,6 +21,7 @@
 #include "CodeGenFunction.h"
 #include "CodeGenModule.h"
 #include "ConstantEmitter.h"
+#include "MitigationTagging.h"
 #include "PatternInit.h"
 #include "TargetInfo.h"
 #include "clang/AST/ASTContext.h"
@@ -83,6 +84,8 @@ static void initializeAlloca(CodeGenFunction &CGF, AllocaInst *AI, Value *Size,
   switch (CGF.getLangOpts().getTrivialAutoVarInit()) {
   case LangOptions::TrivialAutoVarInitKind::Uninitialized:
     // Nothing to initialize.
+    AttachMitigationMetadataToFunction(CGF, MitigationKey::AUTO_VAR_INIT,
+                                       false);
     return;
   case LangOptions::TrivialAutoVarInitKind::Zero:
     Byte = CGF.Builder.getInt8(0x00);
@@ -94,6 +97,7 @@ static void initializeAlloca(CodeGenFunction &CGF, AllocaInst *AI, Value *Size,
     break;
   }
   }
+  AttachMitigationMetadataToFunction(CGF, MitigationKey::AUTO_VAR_INIT, true);
   if (CGF.CGM.stopAutoInit())
     return;
   auto *I = CGF.Builder.CreateMemSet(AI, Byte, Size, AlignmentInBytes);
@@ -4642,6 +4646,9 @@ RValue CodeGenFunction::EmitBuiltinExpr(const GlobalDecl GD, unsigned BuiltinID,
     AI->setAlignment(SuitableAlignmentInBytes);
     if (BuiltinID != Builtin::BI__builtin_alloca_uninitialized)
       initializeAlloca(*this, AI, Size, SuitableAlignmentInBytes);
+    else
+      AttachMitigationMetadataToFunction(*this, MitigationKey::AUTO_VAR_INIT,
+                                         false);
     LangAS AAS = getASTAllocaAddressSpace();
     LangAS EAS = E->getType()->getPointeeType().getAddressSpace();
     if (AAS != EAS) {
@@ -4664,6 +4671,9 @@ RValue CodeGenFunction::EmitBuiltinExpr(const GlobalDecl GD, unsigned BuiltinID,
     AI->setAlignment(AlignmentInBytes);
     if (BuiltinID != Builtin::BI__builtin_alloca_with_align_uninitialized)
       initializeAlloca(*this, AI, Size, AlignmentInBytes);
+    else
+      AttachMitigationMetadataToFunction(*this, MitigationKey::AUTO_VAR_INIT,
+                                         false);
     LangAS AAS = getASTAllocaAddressSpace();
     LangAS EAS = E->getType()->getPointeeType().getAddressSpace();
     if (AAS != EAS) {

clang/lib/CodeGen/CGClass.cpp

@@ -16,6 +16,7 @@
 #include "CGDebugInfo.h"
 #include "CGRecordLayout.h"
 #include "CodeGenFunction.h"
+#include "MitigationTagging.h"
 #include "TargetInfo.h"
 #include "clang/AST/Attr.h"
 #include "clang/AST/CXXInheritance.h"
@@ -2847,6 +2848,8 @@ void CodeGenFunction::EmitTypeMetadataCodeForVCall(const CXXRecordDecl *RD,
         Builder.CreateCall(CGM.getIntrinsic(IID), {VTable, TypeId});
     Builder.CreateCall(CGM.getIntrinsic(llvm::Intrinsic::assume), TypeTest);
   }
+
+  AttachMitigationMetadataToFunction(*this, MitigationKey::CFI_VCALL, false);
 }
 
 void CodeGenFunction::EmitVTablePtrCheckForCall(const CXXRecordDecl *RD,

clang/lib/CodeGen/CGDecl.cpp

@@ -20,6 +20,7 @@
 #include "CodeGenModule.h"
 #include "ConstantEmitter.h"
 #include "EHScopeStack.h"
+#include "MitigationTagging.h"
 #include "PatternInit.h"
 #include "TargetInfo.h"
 #include "clang/AST/ASTContext.h"
@@ -1974,6 +1975,9 @@ void CodeGenFunction::EmitAutoVarInit(const AutoVarEmission &emission) {
            ? LangOptions::TrivialAutoVarInitKind::Uninitialized
            : getContext().getLangOpts().getTrivialAutoVarInit());
 
+  AttachMitigationMetadataToFunction(
+      *this, MitigationKey::AUTO_VAR_INIT,
+      trivialAutoVarInit != LangOptions::TrivialAutoVarInitKind::Uninitialized);
   auto initializeWhatIsTechnicallyUninitialized = [&](Address Loc) {
     if (trivialAutoVarInit ==
         LangOptions::TrivialAutoVarInitKind::Uninitialized)

clang/lib/CodeGen/CGExpr.cpp

@@ -22,6 +22,7 @@
 #include "CodeGenFunction.h"
 #include "CodeGenModule.h"
 #include "ConstantEmitter.h"
+#include "MitigationTagging.h"
 #include "TargetInfo.h"
 #include "clang/AST/ASTContext.h"
 #include "clang/AST/ASTLambda.h"
@@ -6091,6 +6092,10 @@ RValue CodeGenFunction::EmitCall(QualType CalleeType,
   // function pointer is a member of the bit set for the function type.
   if (SanOpts.has(SanitizerKind::CFIICall) &&
       (!TargetDecl || !isa<FunctionDecl>(TargetDecl))) {
+    AttachMitigationMetadataToFunction(
+        *this, MitigationKey::CFI_ICALL,
+        SanOpts.has(clang::SanitizerKind::CFIICall));
+
     SanitizerScope SanScope(this);
     EmitSanitizerStatReport(llvm::SanStat_CFI_ICall);
 

clang/lib/CodeGen/CGExprCXX.cpp

@@ -16,6 +16,7 @@
 #include "CGObjCRuntime.h"
 #include "CodeGenFunction.h"
 #include "ConstantEmitter.h"
+#include "MitigationTagging.h"
 #include "TargetInfo.h"
 #include "clang/Basic/CodeGenOptions.h"
 #include "clang/CodeGen/CGFunctionInfo.h"
@@ -416,6 +417,11 @@ RValue CodeGenFunction::EmitCXXMemberOrOperatorMemberCallExpr(
       std::tie(VTable, RD) = CGM.getCXXABI().LoadVTablePtr(
           *this, This.getAddress(), CalleeDecl->getParent());
       EmitVTablePtrCheckForCall(RD, VTable, CFITCK_NVCall, CE->getBeginLoc());
+      AttachMitigationMetadataToFunction(*this, MitigationKey::CFI_NVCALL,
+                                         true);
+    } else if (MD->getParent()->isDynamicClass()) {
+      AttachMitigationMetadataToFunction(*this, MitigationKey::CFI_NVCALL,
+                                         false);
     }
 
     if (getLangOpts().AppleKext && MD->isVirtual() && HasQualifier)

clang/lib/CodeGen/CMakeLists.txt

@@ -110,6 +110,7 @@ add_clang_library(clangCodeGen
   LinkInModulesPass.cpp
   MacroPPCallbacks.cpp
   MicrosoftCXXABI.cpp
+  MitigationTagging.cpp
   ModuleBuilder.cpp
   ObjectFilePCHContainerWriter.cpp
   PatternInit.cpp

clang/lib/CodeGen/CodeGenModule.cpp

@@ -26,6 +26,7 @@
 #include "CodeGenPGO.h"
 #include "ConstantEmitter.h"
 #include "CoverageMappingGen.h"
+#include "MitigationTagging.h"
 #include "TargetInfo.h"
 #include "clang/AST/ASTContext.h"
 #include "clang/AST/ASTLambda.h"
@@ -2490,6 +2491,8 @@ void CodeGenModule::SetLLVMFunctionAttributesForDefinition(const Decl *D,
   if ((!D || !D->hasAttr<NoUwtableAttr>()) && CodeGenOpts.UnwindTables)
     B.addUWTableAttr(llvm::UWTableKind(CodeGenOpts.UnwindTables));
 
+  AttachMitigationMetadataToFunction(*F, MitigationKey::STACK_CLASH_PROTECTION,
+                                     CodeGenOpts.StackClashProtector);
   if (CodeGenOpts.StackClashProtector)
     B.addAttribute("probe-stack", "inline-asm");
 
@@ -2512,6 +2515,25 @@ void CodeGenModule::SetLLVMFunctionAttributesForDefinition(const Decl *D,
   else if (isStackProtectorOn(LangOpts, getTriple(), LangOptions::SSPReq))
     B.addAttribute(llvm::Attribute::StackProtectReq);
 
+  bool noStackProtectionAttr = D && D->hasAttr<NoStackProtectorAttr>();
+  AttachMitigationMetadataToFunction(
+      *F, MitigationKey::STACK_PROTECTOR,
+      !noStackProtectionAttr &&
+          (isStackProtectorOn(LangOpts, getTriple(), LangOptions::SSPOn) ||
+           isStackProtectorOn(LangOpts, getTriple(), LangOptions::SSPStrong) ||
+           isStackProtectorOn(LangOpts, getTriple(), LangOptions::SSPReq)));
+
+  AttachMitigationMetadataToFunction(
+      *F, MitigationKey::STACK_PROTECTOR_STRONG,
+      !noStackProtectionAttr &&
+          (isStackProtectorOn(LangOpts, getTriple(), LangOptions::SSPStrong) ||
+           isStackProtectorOn(LangOpts, getTriple(), LangOptions::SSPReq)));
+
+  AttachMitigationMetadataToFunction(
+      *F, MitigationKey::STACK_PROTECTOR_ALL,
+      !noStackProtectionAttr &&
+          isStackProtectorOn(LangOpts, getTriple(), LangOptions::SSPReq));
+
   if (!D) {
     // Non-entry HLSL functions must always be inlined.
     if (getLangOpts().HLSL && !F->hasFnAttribute(llvm::Attribute::NoInline))

clang/lib/CodeGen/MitigationTagging.cpp

@@ -0,0 +1,84 @@
+//===--- MitigationTagging.cpp - Emit LLVM Code from ASTs for a Module ----===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+//
+// This enables tagging functions with metadata to indicate mitigations are
+// applied to them.
+//
+//===----------------------------------------------------------------------===//
+
+#include "MitigationTagging.h"
+#include "llvm/IR/Constants.h"
+#include "llvm/IR/LLVMContext.h"
+#include "llvm/IR/Metadata.h"
+
+#include <string>
+#include <vector>
+
+namespace clang {
+namespace CodeGen {
+
+inline static std::string
+MitigationKeyToString(enum MitigationKey key) noexcept {
+  switch (key) {
+  case MitigationKey::AUTO_VAR_INIT:
+    return "auto-var-init";
+  case MitigationKey::STACK_CLASH_PROTECTION:
+    return "stack-clash-protection";
+  case MitigationKey::STACK_PROTECTOR:
+    return "stack-protector";
+  case MitigationKey::STACK_PROTECTOR_STRONG:
+    return "stack-protector-strong";
+  case MitigationKey::STACK_PROTECTOR_ALL:
+    return "stack-protector-all";
+  case MitigationKey::CFI_VCALL:
+    return "cfi-vcall";
+  case MitigationKey::CFI_ICALL:
+    return "cfi-icall";
+  case MitigationKey::CFI_NVCALL:
+    return "cfi-nvcall";
+  }
+}
+
+void AttachMitigationMetadataToFunction(llvm::Function &F,
+                                        enum MitigationKey key, bool enabled) {
+  llvm::LLVMContext &Context = F.getContext();
+
+  unsigned kindID = Context.getMDKindID("security_mitigations");
+
+  llvm::Metadata *ValueMD = llvm::ConstantAsMetadata::get(
+      llvm::ConstantInt::get(llvm::Type::getInt1Ty(Context), enabled));
+  llvm::MDString *KeyMD =
+      llvm::MDString::get(Context, MitigationKeyToString(key));
+
+  llvm::MDNode *NewMD = llvm::MDNode::get(Context, {KeyMD, ValueMD});
+  llvm::MDNode *ExistingMD = F.getMetadata(kindID);
+
+  if (ExistingMD) {
+    std::vector<llvm::Metadata *> MDs;
+    for (unsigned i = 0, e = ExistingMD->getNumOperands(); i != e; ++i) {
+      MDs.push_back(ExistingMD->getOperand(i));
+    }
+    MDs.push_back(NewMD);
+
+    llvm::MDNode *CombinedMD = llvm::MDNode::get(Context, MDs);
+    F.setMetadata(kindID, CombinedMD);
+  } else {
+    F.setMetadata(kindID, NewMD);
+  }
+}
+
+void AttachMitigationMetadataToFunction(CodeGenFunction &CGF,
+                                        enum MitigationKey key, bool enabled) {
+  if (!CGF.CGM.getCodeGenOpts().MitigationAnalysis) {
+    return;
+  }
+  AttachMitigationMetadataToFunction(*(CGF.CurFn), key, enabled);
+}
+
+} // namespace CodeGen
+} // namespace clang