llvm/tools/llvm-cfi-verify/llvm-cfi-verify.cpp

//===-- llvm-cfi-verify.cpp - CFI Verification tool for LLVM --------------===//
//
//                     The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// This tool verifies Control Flow Integrity (CFI) instrumentation by static
// binary anaylsis. See the design document in /docs/CFIVerify.rst for more
// information.
//
// This tool is currently incomplete. It currently only does disassembly for
// object files, and searches through the code for indirect control flow
// instructions, printing them once found.
//
//===----------------------------------------------------------------------===//

#include "lib/FileAnalysis.h"

#include "llvm/BinaryFormat/ELF.h"
#include "llvm/Support/CommandLine.h"
#include "llvm/Support/Error.h"
#include "llvm/Support/FormatVariadic.h"

#include <cstdlib>

using namespace llvm;
using namespace llvm::object;
using namespace llvm::cfi_verify;

cl::opt<std::string> InputFilename(cl::Positional, cl::desc("<input file>"),
                                   cl::Required);

ExitOnError ExitOnErr;

void printIndirectCFInstructions(FileAnalysis &Analysis) {
  uint64_t ProtectedCount = 0;
  uint64_t UnprotectedCount = 0;

  for (uint64_t Address : Analysis.getIndirectInstructions()) {
    const auto &InstrMeta = Analysis.getInstructionOrDie(Address);

    if (Analysis.isIndirectInstructionCFIProtected(Address)) {
      outs() << "P ";
      ProtectedCount++;
    } else {
      outs() << "U ";
      UnprotectedCount++;
    }

    outs() << format_hex(Address, 2) << " | "
           << Analysis.getMCInstrInfo()->getName(
                  InstrMeta.Instruction.getOpcode())
           << " ";
    outs() << "\n";

    if (Analysis.hasLineTableInfo()) {
      for (const auto &LineKV : Analysis.getLineInfoForAddressRange(Address)) {
        outs() << "  " << format_hex(LineKV.first, 2) << " = "
               << LineKV.second.FileName << ":" << LineKV.second.Line << ":"
               << LineKV.second.Column << " (" << LineKV.second.FunctionName
               << ")\n";
      }
    }
  }

  if (ProtectedCount || UnprotectedCount)
    outs() << formatv(
        "Unprotected: {0} ({1:P}), Protected: {2} ({3:P})\n", UnprotectedCount,
        (((double)UnprotectedCount) / (UnprotectedCount + ProtectedCount)),
        ProtectedCount,
        (((double)ProtectedCount) / (UnprotectedCount + ProtectedCount)));
  else
    outs() << "No indirect CF instructions found.\n";
}

int main(int argc, char **argv) {
  cl::ParseCommandLineOptions(
      argc, argv,
      "Identifies whether Control Flow Integrity protects all indirect control "
      "flow instructions in the provided object file, DSO or binary.\nNote: "
      "Anything statically linked into the provided file *must* be compiled "
      "with '-g'. This can be relaxed through the '--ignore-dwarf' flag.");

  InitializeAllTargetInfos();
  InitializeAllTargetMCs();
  InitializeAllAsmParsers();
  InitializeAllDisassemblers();

  FileAnalysis Analysis = ExitOnErr(FileAnalysis::Create(InputFilename));
  printIndirectCFInstructions(Analysis);

  return EXIT_SUCCESS;
}