Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cpu-features: Ignore CET SS unless actively used #804

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

cpu-features: Ignore CET SS unless actively used #804

wants to merge 2 commits into from

Conversation

yjugl
Copy link
Contributor

@yjugl yjugl commented Jun 9, 2024

Since #791 we are ensuring a proper call-ret discipline in the x86 interceptor, if we detect that the CPU is compatible with Intel CET shadow stacks. As discussed in #791, this has an unnecessary performance cost if the mitigation is not used by the current process. This extra patch thus ignores CET shadow stacks compatibility on Windows if we detect that the current process is not using the mitigation. It might be cleaner to move this code outside gum_do_query_cpu_features, but putting it there makes the patch very simple and atomic.

@yjugl yjugl force-pushed the cpu-features-ignore-inactive-cet-ss branch from f670c75 to c0ffb99 Compare June 9, 2024 14:58
@yjugl yjugl force-pushed the cpu-features-ignore-inactive-cet-ss branch from c0ffb99 to 38418b0 Compare June 10, 2024 08:33
@yjugl
Copy link
Contributor Author

yjugl commented Jun 10, 2024
edited
Loading

MinGW builds are failing not finding ProcessUserShadowStackPolicy and PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY, although these two symbols were pushed to mingw-w64 in July 2021 (integration, original message). Could it be that the CI is using an outdated version of mingw-w64? Do you have control over that?

oleavr
oleavr requested changes Jul 3, 2024
View reviewed changes
Copy link
Member

@oleavr oleavr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!! (And apologies for the delay.)

We are in control of the MinGW bits, though we're currently piggybacking on the pre-installed components on GitHub's runners to speed up CI, but we could always have it update the components as an up-front step.

However, we still want to retain support for XP -- due to users reversing software on legacy systems -- so we should resolve the function dynamically to retain backwards compatibility.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oleavr oleavr oleavr requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@yjugl @oleavr