static std::vector<Function*> parseGlobalCtors(GlobalVariable *GV) { if (GV->getInitializer()->isNullValue()) return std::vector<Function *>(); ConstantArray *CA = cast<ConstantArray>(GV->getInitializer()); std::vector<Function *> Result; Result.reserve(CA->getNumOperands()); for (User::op_iterator i = CA->op_begin(), e = CA->op_end(); i != e; ++i) { ConstantStruct *CS = cast<ConstantStruct>(*i); Result.push_back(dyn_cast<Function>(CS->getOperand(1))); } return Result; }
bool ObjCARCAPElim::runOnModule(Module &M) { if (!EnableARCOpts) return false; // If nothing in the Module uses ARC, don't do anything. if (!ModuleHasARC(M)) return false; // Find the llvm.global_ctors variable, as the first step in // identifying the global constructors. In theory, unnecessary autorelease // pools could occur anywhere, but in practice it's pretty rare. Global // ctors are a place where autorelease pools get inserted automatically, // so it's pretty common for them to be unnecessary, and it's pretty // profitable to eliminate them. GlobalVariable *GV = M.getGlobalVariable("llvm.global_ctors"); if (!GV) return false; assert(GV->hasDefinitiveInitializer() && "llvm.global_ctors is uncooperative!"); bool Changed = false; // Dig the constructor functions out of GV's initializer. ConstantArray *Init = cast<ConstantArray>(GV->getInitializer()); for (User::op_iterator OI = Init->op_begin(), OE = Init->op_end(); OI != OE; ++OI) { Value *Op = *OI; // llvm.global_ctors is an array of three-field structs where the second // members are constructor functions. Function *F = dyn_cast<Function>(cast<ConstantStruct>(Op)->getOperand(1)); // If the user used a constructor function with the wrong signature and // it got bitcasted or whatever, look the other way. if (!F) continue; // Only look at function definitions. if (F->isDeclaration()) continue; // Only look at functions with one basic block. if (std::next(F->begin()) != F->end()) continue; // Ok, a single-block constructor function definition. Try to optimize it. Changed |= OptimizeBB(F->begin()); } return Changed; }
SandboxVector SandboxUtils::findSandboxes(Module& M) { FunctionIntMap funcToOverhead; FunctionIntMap funcToClearances; map<Function*,string> funcToSandboxName; map<string,FunctionSet> sandboxNameToEntryPoints; StringSet ephemeralSandboxes; SandboxVector sandboxes; // function-level annotations of sandboxed code Regex *sboxPerfRegex = new Regex("perf_overhead_\\(([0-9]{1,2})\\)", true); SmallVector<StringRef, 4> matches; if (GlobalVariable* lga = M.getNamedGlobal("llvm.global.annotations")) { ConstantArray* lgaArray = dyn_cast<ConstantArray>(lga->getInitializer()->stripPointerCasts()); for (User::op_iterator i=lgaArray->op_begin(), e = lgaArray->op_end(); e!=i; i++) { ConstantStruct* lgaArrayElement = dyn_cast<ConstantStruct>(i->get()); // get the annotation value first GlobalVariable* annotationStrVar = dyn_cast<GlobalVariable>(lgaArrayElement->getOperand(1)->stripPointerCasts()); ConstantDataArray* annotationStrArray = dyn_cast<ConstantDataArray>(annotationStrVar->getInitializer()); StringRef annotationStrArrayCString = annotationStrArray->getAsCString(); GlobalValue* annotatedVal = dyn_cast<GlobalValue>(lgaArrayElement->getOperand(0)->stripPointerCasts()); if (isa<Function>(annotatedVal)) { Function* annotatedFunc = dyn_cast<Function>(annotatedVal); StringRef sandboxName; if (annotationStrArrayCString.startswith(SANDBOX_PERSISTENT) || annotationStrArrayCString.startswith(SANDBOX_EPHEMERAL)) { sandboxEntryPoints.insert(annotatedFunc); outs() << INDENT_1 << "Found sandbox entrypoint " << annotatedFunc->getName() << "\n"; outs() << INDENT_2 << "Annotation string: " << annotationStrArrayCString << "\n"; if (annotationStrArrayCString.startswith(SANDBOX_PERSISTENT)) { sandboxName = annotationStrArrayCString.substr(strlen(SANDBOX_PERSISTENT)+1); } else if (annotationStrArrayCString.startswith(SANDBOX_EPHEMERAL)) { sandboxName = annotationStrArrayCString.substr(strlen(SANDBOX_EPHEMERAL)+1); ephemeralSandboxes.insert(sandboxName); } outs() << INDENT_2 << "Sandbox name: " << sandboxName << "\n"; if (funcToSandboxName.find(annotatedFunc) != funcToSandboxName.end()) { outs() << INDENT_1 << "*** Error: Function " << annotatedFunc->getName() << " is already an entrypoint for another sandbox\n"; } else { funcToSandboxName[annotatedFunc] = sandboxName; sandboxNameToEntryPoints[sandboxName].insert(annotatedFunc); } } else if (sboxPerfRegex->match(annotationStrArrayCString, &matches)) { int overhead; outs() << INDENT_2 << "Threshold set to " << matches[1].str() << "%\n"; matches[1].getAsInteger(0, overhead); funcToOverhead[annotatedFunc] = overhead; } else if (annotationStrArrayCString.startswith(CLEARANCE)) { StringRef className = annotationStrArrayCString.substr(strlen(CLEARANCE)+1); outs() << INDENT_2 << "Sandbox has clearance for \"" << className << "\"\n"; ClassifiedUtils::assignBitIdxToClassName(className); funcToClearances[annotatedFunc] |= (1 << ClassifiedUtils::getBitIdxFromClassName(className)); } } } } // TODO: sanity check overhead and clearance annotations // Combine all annotation information for function-level sandboxes to create Sandbox instances for (pair<string,FunctionSet> p : sandboxNameToEntryPoints) { string sandboxName = p.first; FunctionSet entryPoints = p.second; int idx = assignBitIdxToSandboxName(sandboxName); int overhead = 0; int clearances = 0; bool persistent = find(ephemeralSandboxes.begin(), ephemeralSandboxes.end(), sandboxName) == ephemeralSandboxes.end(); // set overhead and clearances; any of the entry points could be annotated for (Function* entryPoint : entryPoints) { if (funcToOverhead.find(entryPoint) != funcToOverhead.end()) { overhead = funcToOverhead[entryPoint]; } if (funcToClearances.find(entryPoint) != funcToClearances.end()) { clearances = funcToClearances[entryPoint]; } } SDEBUG("soaap.util.sandbox", 3, dbgs() << INDENT_2 << "Creating new Sandbox instance for " << sandboxName << "\n"); sandboxes.push_back(new Sandbox(sandboxName, idx, entryPoints, persistent, M, overhead, clearances)); SDEBUG("soaap.util.sandbox", 3, dbgs() << INDENT_2 << "Created new Sandbox instance\n"); } /* for (map<Function*,string>::iterator I=funcToSandboxName.begin(), E=funcToSandboxName.end(); I!=E; I++) { Function* entryPoint = I->first; string sandboxName = I->second; int idx = assignBitIdxToSandboxName(sandboxName); int overhead = funcToOverhead[entryPoint]; int clearances = funcToClearances[entryPoint]; bool persistent = find(ephemeralSandboxes.begin(), ephemeralSandboxes.end(), entryPoint) == ephemeralSandboxes.end(); SDEBUG("soaap.util.sandbox", 3, dbgs() << INDENT_2 << "Creating new Sandbox instance\n"); sandboxes.push_back(new Sandbox(sandboxName, idx, entryPoint, persistent, M, overhead, clearances)); SDEBUG("soaap.util.sandbox", 3, dbgs() << INDENT_2 << "Created new Sandbox instance\n"); } */ // Handle sandboxed code regions, i.e. start_sandboxed_code(N) and end_sandboxed_code(N) blocks if (Function* SboxStart = M.getFunction("llvm.annotation.i32")) { for (User* U : SboxStart->users()) { if (IntrinsicInst* annotCall = dyn_cast<IntrinsicInst>(U)) { GlobalVariable* annotationStrVar = dyn_cast<GlobalVariable>(annotCall->getOperand(1)->stripPointerCasts()); ConstantDataArray* annotationStrValArray = dyn_cast<ConstantDataArray>(annotationStrVar->getInitializer()); StringRef annotationStrValCString = annotationStrValArray->getAsCString(); if (annotationStrValCString.startswith(SOAAP_SANDBOX_REGION_START)) { StringRef sandboxName = annotationStrValCString.substr(strlen(SOAAP_SANDBOX_REGION_START)+1); //+1 because of _ SDEBUG("soaap.util.sandbox", 3, dbgs() << INDENT_3 << "Found start of sandboxed code region: "; annotCall->dump();); InstVector sandboxedInsts; findAllSandboxedInstructions(annotCall, sandboxName, sandboxedInsts); int idx = assignBitIdxToSandboxName(sandboxName); sandboxes.push_back(new Sandbox(sandboxName, idx, sandboxedInsts, false, M)); //TODO: obtain persistent/ephemeral information in a better way (currently we obtain it from the creation point) } }
void PrivilegedCallAnalysis::doAnalysis(Module& M, SandboxVector& sandboxes) { // first find all methods annotated as being privileged and then check calls within sandboxes if (GlobalVariable* lga = M.getNamedGlobal("llvm.global.annotations")) { ConstantArray* lgaArray = dyn_cast<ConstantArray>(lga->getInitializer()->stripPointerCasts()); for (User::op_iterator i=lgaArray->op_begin(), e = lgaArray->op_end(); e!=i; i++) { ConstantStruct* lgaArrayElement = dyn_cast<ConstantStruct>(i->get()); // get the annotation value first GlobalVariable* annotationStrVar = dyn_cast<GlobalVariable>(lgaArrayElement->getOperand(1)->stripPointerCasts()); ConstantDataArray* annotationStrArray = dyn_cast<ConstantDataArray>(annotationStrVar->getInitializer()); StringRef annotationStrArrayCString = annotationStrArray->getAsCString(); GlobalValue* annotatedVal = dyn_cast<GlobalValue>(lgaArrayElement->getOperand(0)->stripPointerCasts()); if (isa<Function>(annotatedVal)) { Function* annotatedFunc = dyn_cast<Function>(annotatedVal); if (annotationStrArrayCString == SOAAP_PRIVILEGED) { outs() << " Found function: " << annotatedFunc->getName() << "\n"; privAnnotFuncs.push_back(annotatedFunc); } } } } // now check calls within sandboxes for (Function* privilegedFunc : privAnnotFuncs) { for (User* U : privilegedFunc->users()) { if (CallInst* C = dyn_cast<CallInst>(U)) { Function* enclosingFunc = C->getParent()->getParent(); for (Sandbox* S : sandboxes) { if (!S->hasCallgate(privilegedFunc) && S->containsFunction(enclosingFunc)) { outs() << " *** Sandbox \"" << S->getName() << "\" calls privileged function \"" << privilegedFunc->getName() << "\" that they are not allowed to. If intended, annotate this permission using the __soaap_callgates annotation.\n"; if (MDNode *N = C->getMetadata("dbg")) { // Here I is an LLVM instruction DILocation Loc(N); // DILocation is in DebugInfo.h unsigned Line = Loc.getLineNumber(); StringRef File = Loc.getFilename(); outs() << " +++ Line " << Line << " of file " << File << "\n"; } } } } } } /* for (Sandbox* S : sandboxes) { FunctionVector callgates = S->getCallgates(); for (Function* F : S->getFunctions()) { for (BasicBlock& BB : F->getBasicBlockList()) { for (Instruction& I : BB.getInstList()) { if (CallInst* C = dyn_cast<CallInst>(&I)) { if (Function* Target = C->getCalledFunction()) { if (find(privAnnotFuncs.begin(), privAnnotFuncs.end(), Target) != privAnnotFuncs.end()) { // check if this sandbox is allowed to call the privileged function DEBUG(dbgs() << " Found privileged call: "); DEBUG(C->dump()); if (find(callgates.begin(), callgates.end(), Target) == callgates.end()) { outs() << " *** Sandbox \"" << S->getName() << "\" calls privileged function \"" << Target->getName() << "\" that they are not allowed to. If intended, annotate this permission using the __soaap_callgates annotation.\n"; if (MDNode *N = C->getMetadata("dbg")) { // Here I is an LLVM instruction DILocation Loc(N); // DILocation is in DebugInfo.h unsigned Line = Loc.getLineNumber(); StringRef File = Loc.getFilename(); outs() << " +++ Line " << Line << " of file " << File << "\n"; } } } } } } } } } */ }