securitycompilationllvm

Can I deliberately compile nondeterminstically?


Address space layout randomization is a decently effective method for defeating exploits against a binary, in that the exploit has to successfully locate the memory addresses it wishes to attack first and can't rely on them being constant. I'm interested in the possibility of taking this further and introducing randomness into the compilation process to change compile-level implementation details, such as putting variables in different registers or in a different order in the stack frame, or doing LLVM passes in a different order to cause functions and constexprs to inline differently, or perhaps even introduce a 1-in-1000 bounds or null check that would otherwise be excluded from a fully optimized build. A different build could be created per user, such that all of my users get their own binary that adheres to the source code but has different side channels and UB, thus highly limiting the effectiveness of any attacks that rely on those things.

Is there any major build toolchain/language that can be configured to do this? If not, is there a way I could simulate something like this in my source code?

(I would also welcome a frame challenge to this idea. For instance, I acknowledge that having a fully reproducible build might be more valuable than anything I might get from giving every user a personalized build. However, I also feel that this idea could be useful in testing, such that devs can be confident that it's their source code, and not the specific version of the compuler they're using, that determines the software's correctness.)


Solution

  • As was mentioned in the comments, it is indeed possible, but the downsides greatly overweight profit:

    To sum up: this security measure is a good example of so-called security theater: it will not provide additional security for most of the cases, but will greatly complicate a lot of things.