This repository contains some of the passes implementing LLSCT, but not all. The rest of LLSCT is implemented here: llsct-llvm.
bench/additional-baselines.md contains the full results including the additional baseline mitigations based on BladeSLH and UltimateSLH, which we did not have space to include in the paper.
LLSCT is only supported for Linux (but may run on Intel-based Macs with some tweaks).
Requires gcc-12 (for C++20 features).
LLSCT currently requires the following dependencies:
- gperftools
- libunwind
- CMake (version >= 3.25)
- Ninja
- Python3
- Python packages: pandas, seaborn
- GCC 12 You can install all of these using Homebrew .
Here's how to install LLSCT's dependencies using Homebrew.
brew install gperftools libunwind cmake ninja python3 gcc binutils glibc
pip3 install pandas seaborn
export LD_LIBRARY_PATH="$(brew --prefix gcc)/lib/gcc/current:$LD_LIBRARY_PATH"
To build LLSCT, you will need to clone two repositories: llsct-llvm and llsct-passes (this repository). First, clone and build llsct-llvm:
git clone https://github.com/nmosier/clouxx-llvm --depth=1 llsct-llvm
mkdir llsct-llvm/build && cd llsct-llvm/build
cmake -G Ninja -DCMAKE_CXX_STANDARD=20 -DCMAKE_CXX_COMPILER=g++-12 -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=../install -DLLVM_ENABLE_ASSERTIONS=On -DLLVM_ENABLE_PROJECTS='clang;lld' -DLLVM_TARGETS_TO_BUILD='X86' ../llvm
ninja
ninja install
cd ../..
Now, clone and configure llsct-passes:
git clone https://github.com/nmosier/clouxx-passes llsct-passes
mkdir llsct-passes/build && cd llsct-passes/build
cmake -G Ninja -DCMAKE_CXX_COMPILER=g++-12 -DCMAKE_BUILD_TYPE=RelWithDebInfo -DLLSCT_LLVM_DIR=$PWD/../../llsct-llvm/install -DLLSCT_REQUIRE_CET=Off ..
ninja src/all
The last command builds all of LLSCT's IR passes.
The -DLLSCT_ENABLE_CET=Off
flag disables runtime Intel CET enforcement if your Linux distribution doesn't support userspace CET (at the time of writing, none of them do).
To build all the benchmark programs so that you can run them as standaloen programs, build the raw_compile
target:
ninja raw_compile
All the test binaries will have filenames matching bench-new/raw_<project>_<name>_<size>_<mitigation>
.
To run the benchmark to obtain a graph of runtime overhead:
ninja time_compile clean_bench && ninja -j1 time_pdf
and a PDF of the overhead plot will be written to bench-new/time.pdf
.
sudo cpupower frequency-set --governor performance
If you use LLSCT in your work, we would appreciate it if you cite our paper (bibtex):
N. Mosier, H. Nemati, J. Mitchell, C. Trippel, "Serberus: Protecting Cryptographic Code from Spectres at Compile-Time," 2024 IEEE Symposium on Security and Privacy (S&P), 2024.