@@ -34,31 +34,35 @@ AND CAST(n_instr AS INT) <= 15
3434
3535UNION ALL
3636
37- -- Total number of non-reachable gadgets with a maximum of 4 dependent loads
38- -- within 15 instructions , reported in Section 9 - FineIBT bypass.
37+ -- Total number of dispatchers with a secret load that does not depend
38+ -- on the call expression , reported in Section 9 - FineIBT bypass.
3939SELECT " FineIBT half-gadget dispatchers" COUNT (DISTINCT pc)
4040FROM all_tfps
4141WHERE
42- requirements NOT like " %{'regs': [], %"
43- AND contains_spec_stop = ' False'
44- AND CAST(n_instr AS INT ) < 30
45- AND
46- (
47- (rsi_control = ' TFPRegisterControlType.POTENTIAL_SECRET' AND rsi_expr LIKE " %LOAD%"
48- OR (rdi_control = ' TFPRegisterControlType.POTENTIAL_SECRET' AND rdi_expr LIKE " %LOAD%"
49- OR (rax_control = ' TFPRegisterControlType.POTENTIAL_SECRET' AND rax_expr LIKE " %LOAD%"
50- OR (rbx_control = ' TFPRegisterControlType.POTENTIAL_SECRET' AND rbx_expr LIKE " %LOAD%"
51- OR (rcx_control = ' TFPRegisterControlType.POTENTIAL_SECRET' AND rcx_expr LIKE " %LOAD%"
52- OR (rdx_control = ' TFPRegisterControlType.POTENTIAL_SECRET' AND rdx_expr LIKE " %LOAD%"
53- OR (r8_control = ' TFPRegisterControlType.POTENTIAL_SECRET' AND r8_expr LIKE " %LOAD%"
54- OR (r9_control = ' TFPRegisterControlType.POTENTIAL_SECRET' AND r9_expr LIKE " %LOAD%"
55- OR (r10_control = ' TFPRegisterControlType.POTENTIAL_SECRET' AND r10_expr LIKE " %LOAD%"
56- OR (r11_control = ' TFPRegisterControlType.POTENTIAL_SECRET' AND r11_expr LIKE " %LOAD%"
57- OR (r12_control = ' TFPRegisterControlType.POTENTIAL_SECRET' AND r12_expr LIKE " %LOAD%"
58- OR (r13_control = ' TFPRegisterControlType.POTENTIAL_SECRET' AND r13_expr LIKE " %LOAD%"
59- OR (r14_control = ' TFPRegisterControlType.POTENTIAL_SECRET' AND r14_expr LIKE " %LOAD%"
60- OR (r15_control = ' TFPRegisterControlType.POTENTIAL_SECRET' AND r15_expr LIKE " %LOAD%"
61- OR (rbp_control = ' TFPRegisterControlType.POTENTIAL_SECRET' AND rbp_expr LIKE " %LOAD%"
62- OR (rsp_control = ' TFPRegisterControlType.POTENTIAL_SECRET' AND rsp_expr LIKE " %LOAD%"
63- )
64- ;
42+ contains_spec_stop = ' False'
43+ AND secrets NOT like " []"
44+ AND name in reachable
45+ ;
46+
47+ -- requirements NOT like "%{'regs': [], %"
48+ -- AND contains_spec_stop = 'False'
49+ -- AND CAST(n_instr AS INT) < 30
50+ -- AND
51+ -- (
52+ -- (rsi_control = 'TFPRegisterControlType.POTENTIAL_SECRET' AND rsi_expr LIKE "%LOAD%")
53+ -- OR (rdi_control = 'TFPRegisterControlType.POTENTIAL_SECRET' AND rdi_expr LIKE "%LOAD%")
54+ -- OR (rax_control = 'TFPRegisterControlType.POTENTIAL_SECRET' AND rax_expr LIKE "%LOAD%")
55+ -- OR (rbx_control = 'TFPRegisterControlType.POTENTIAL_SECRET' AND rbx_expr LIKE "%LOAD%")
56+ -- OR (rcx_control = 'TFPRegisterControlType.POTENTIAL_SECRET' AND rcx_expr LIKE "%LOAD%")
57+ -- OR (rdx_control = 'TFPRegisterControlType.POTENTIAL_SECRET' AND rdx_expr LIKE "%LOAD%")
58+ -- OR (r8_control = 'TFPRegisterControlType.POTENTIAL_SECRET' AND r8_expr LIKE "%LOAD%")
59+ -- OR (r9_control = 'TFPRegisterControlType.POTENTIAL_SECRET' AND r9_expr LIKE "%LOAD%")
60+ -- OR (r10_control = 'TFPRegisterControlType.POTENTIAL_SECRET' AND r10_expr LIKE "%LOAD%")
61+ -- OR (r11_control = 'TFPRegisterControlType.POTENTIAL_SECRET' AND r11_expr LIKE "%LOAD%")
62+ -- OR (r12_control = 'TFPRegisterControlType.POTENTIAL_SECRET' AND r12_expr LIKE "%LOAD%")
63+ -- OR (r13_control = 'TFPRegisterControlType.POTENTIAL_SECRET' AND r13_expr LIKE "%LOAD%")
64+ -- OR (r14_control = 'TFPRegisterControlType.POTENTIAL_SECRET' AND r14_expr LIKE "%LOAD%")
65+ -- OR (r15_control = 'TFPRegisterControlType.POTENTIAL_SECRET' AND r15_expr LIKE "%LOAD%")
66+ -- OR (rbp_control = 'TFPRegisterControlType.POTENTIAL_SECRET' AND rbp_expr LIKE "%LOAD%")
67+ -- OR (rsp_control = 'TFPRegisterControlType.POTENTIAL_SECRET' AND rsp_expr LIKE "%LOAD%")
68+ -- )
0 commit comments