llvm dev - Oct 2015 - how to monitor read operation to special memory blocks?

In LLVM, is there any way to monitor read operation to some special blocks?
For example, I have a memory block from A1 to A2 to protect. Any read
operation to the address between A1 and A2 will be caught.
And I can return other values, not true values to them or just report
errors about this read operation.

    - mudongliang

On 13 October 2015 at 01:28, 慕冬亮 via llvm-dev <llvm-dev at lists.llvm.org>
wrote:
> In LLVM, is there any way to monitor read operation to some special blocks?
> For example, I have a memory block from A1 to A2 to protect. Any read
> operation to the address between A1 and A2 will be caught.
You could write a pass that instruments any LLVM IR to check the
address of any operation that's going to load and change the behaviour
(much like Clang's sanitizers, but on existing IR rather than when
creating it). E.g. rewrite

    %val = load i32* %addr

to

   %val = call i32 @checked_load_i32(i32* %addr)

where you write an appropriate "checked_load_i32" function to do what
you want. You'll obviously have to handle other types (maybe by always
loading to an iN and then bitcasting the result), and intrinsics like
@llvm.memcpy.

But if you also want to check library calls, you'll have to recompile
those libraries with this pass too, which may or may not be easy.
You'd also miss inline assembly, and loads inserted by the compiler
(possibly to materialize constants, or virtually anything that
implicitly happens to the stack like
spills/function-prologues/epilogues).

To get 100% coverage, either a VM (possibly like valgrind) or a
friendly OS-kernel is probably the only option.

Cheers.

Tim.

2015-10-14 0:20 GMT+08:00 Tim Northover <t.p.northover at
gmail.com>:
> On 13 October 2015 at 01:28, 慕冬亮 via llvm-dev <llvm-dev at
lists.llvm.org> wrote:
>> In LLVM, is there any way to monitor read operation to some special
blocks?
>> For example, I have a memory block from A1 to A2 to protect. Any read
>> operation to the address between A1 and A2 will be caught.
>
> You could write a pass that instruments any LLVM IR to check the
> address of any operation that's going to load and change the behaviour
> (much like Clang's sanitizers, but on existing IR rather than when
> creating it). E.g. rewrite
I will see source code of Clang's sanitizers.
>
>     %val = load i32* %addr
>
> to
>
>    %val = call i32 @checked_load_i32(i32* %addr)
>
> where you write an appropriate "checked_load_i32" function to do
what
> you want. You'll obviously have to handle other types (maybe by always
> loading to an iN and then bitcasting the result), and intrinsics like
> @llvm.memcpy.
Is there any possibility that this method may be bypassed without
injecting other code?
>
> But if you also want to check library calls, you'll have to recompile
> those libraries with this pass too, which may or may not be easy.
> You'd also miss inline assembly, and loads inserted by the compiler
> (possibly to materialize constants, or virtually anything that
> implicitly happens to the stack like
> spills/function-prologues/epilogues).
>
> To get 100% coverage, either a VM (possibly like valgrind) or a
> friendly OS-kernel is probably the only option.
Yes, this is the final method, but the overhead is too high.
I can't sacrifice my protections for a memory block with such a high
overhead.
>
> Cheers.
>
> Tim.