RFR: 8264130: PAC-RET protection for Linux/AArch64 [v2]
Andrew Dinn
adinn at openjdk.java.net
Thu Nov 11 14:46:43 UTC 2021
On Thu, 11 Nov 2021 14:20:20 GMT, Florian Weimer <fweimer at openjdk.org> wrote:
>> Alan Hayward has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Simplify branch protection configure check
>
> src/hotspot/cpu/aarch64/globals_aarch64.hpp line 115:
>
>> 113: range(-1, 4096) \
>> 114: product(bool, UseROPProtection, false, \
>> 115: "Use ROP based branch protection") \
>
> The description is not correct. It's protection against certain ROP-based attack techniques.
I don't agree that this is incorrect, at least not for the stated reason. The flag switches on a protection mechanism that guards against ROP attacks. To my reading that does not imply it guards against all such attacks, merely that this is the nature of the protection it offers.
The description might still be considered incorrect for an unrelated reason. Its use of the adjectival phrase ROP based constitutes a transferred epithet, conflating the symptom with the medicine. In other words, the protection offered is not ROP based i.e. does not rely on an ROP technique. What it does is protect against ROP attacks. So, I'd suggest rewording to
"Enable protection of branches against ROP attacks".
Florian, if you want to argue for rewording that to "Enable protection of branches against some categories of ROP attacks" or some other equivalently qualified variant please feel free to make a case. However, I don't think see any need to add that rider, nor any precedent in any of the other short descriptions provided in globals.hpp.
-------------
PR: https://git.openjdk.java.net/jdk/pull/6334
More information about the build-dev
mailing list