llvm-security

This skill covers LLVM-based security features, sanitizers, hardening mechanisms, and secure software development practices.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "llvm-security" with this command: npx skills add gmh5225/awesome-llvm-security/gmh5225-awesome-llvm-security-llvm-security

LLVM Security Skill

This skill covers LLVM-based security features, sanitizers, hardening mechanisms, and secure software development practices.

Sanitizers

AddressSanitizer (ASan)

Detects memory errors: buffer overflow, use-after-free, use-after-scope.

Compile with ASan

clang -fsanitize=address -g program.c -o program

Key features

- Stack buffer overflow detection

- Heap buffer overflow detection

- Use-after-free detection

- Memory leak detection

MemorySanitizer (MSan)

Detects uninitialized memory reads.

clang -fsanitize=memory -g program.c -o program

ThreadSanitizer (TSan)

Detects data races in multithreaded programs.

clang -fsanitize=thread -g program.c -o program

UndefinedBehaviorSanitizer (UBSan)

Detects undefined behavior at runtime.

clang -fsanitize=undefined -g program.c -o program

Specific checks

clang -fsanitize=signed-integer-overflow,null program.c

Custom Sanitizer Development

// Implementing custom memory tracking extern "C" void __asan_poison_memory_region(void const volatile *addr, size_t size); extern "C" void __asan_unpoison_memory_region(void const volatile *addr, size_t size);

class SecureAllocator { public: void* allocate(size_t size) { // Add red zones around allocation void* ptr = malloc(size + 2 * REDZONE_SIZE); __asan_poison_memory_region(ptr, REDZONE_SIZE); __asan_poison_memory_region((char*)ptr + REDZONE_SIZE + size, REDZONE_SIZE); return (char*)ptr + REDZONE_SIZE; } };

Hardening Techniques

Stack Protection

Stack canaries

clang -fstack-protector-strong program.c

Stack clash protection

clang -fstack-clash-protection program.c

Safe stack (separate stacks for safe/unsafe data)

clang -fsanitize=safe-stack program.c

Control Flow Integrity (CFI)

Forward-edge CFI

clang -fsanitize=cfi -flto program.c

Specific CFI schemes

clang -fsanitize=cfi-vcall # Virtual call checks clang -fsanitize=cfi-nvcall # Non-virtual member call checks clang -fsanitize=cfi-icall # Indirect call checks

Shadow Call Stack

Backward-edge protection (return address protection)

clang -fsanitize=shadow-call-stack program.c

Position Independent Executables

Full ASLR support

clang -fPIE -pie program.c

Position independent code for shared libraries

clang -fPIC -shared library.c -o library.so

Symbolic Execution

Integration with KLEE

// Mark symbolic inputs #include <klee/klee.h>

int main() { int input; klee_make_symbolic(&input, sizeof(input), "input");

if (input > 0) {
    // Path 1
} else {
    // Path 2
}
return 0;

}

SymCC (Symbolic Execution via Compilation)

Compile-time instrumentation for symbolic execution:

  • Faster than IR interpretation

  • Supports complex real-world programs

  • Integrates with fuzzing workflows

Symbolic Analysis Tools

  • Caffeine: LLVM-based symbolic executor

  • SymSan: Symbolic execution + sanitizers

  • Haybale: Rust-based LLVM symbolic executor

Security-Focused Analysis

Type Checking at Runtime

// LLVM TypeSanitizer concepts // Track type information through allocations struct TypeInfo { const char* typeName; size_t typeSize; uint64_t typeHash; };

void checkType(void* ptr, TypeInfo expected) { TypeInfo* actual = getTypeInfo(ptr); if (actual->typeHash != expected.typeHash) { reportTypeMismatch(ptr, actual, expected); } }

Memory Leak Detection

// LeakSanitizer integration extern "C" void __lsan_do_leak_check(); extern "C" void __lsan_disable(); extern "C" void __lsan_enable();

// Custom leak tracking class PreciseLeakSanitizer { std::unordered_map<void*, AllocationInfo> allocations;

public: void recordAlloc(void* ptr, size_t size, const char* file, int line) { allocations[ptr] = {size, file, line, getStackTrace()}; }

void recordFree(void* ptr) {
    allocations.erase(ptr);
}

void reportLeaks() {
    for (auto&#x26; [ptr, info] : allocations) {
        fprintf(stderr, "Leak: %zu bytes at %s:%d\n", 
                info.size, info.file, info.line);
    }
}

};

Exploit Mitigation Implementation

Return Address Protection

; Shadow stack concept in LLVM IR define void @protected_function() { entry: %return_addr = call ptr @llvm.returnaddress(i32 0) call void @shadow_stack_push(ptr %return_addr)

; Function body...

%saved_addr = call ptr @shadow_stack_pop()
%current_addr = call ptr @llvm.returnaddress(i32 0)
%match = icmp eq ptr %saved_addr, %current_addr
br i1 %match, label %safe_return, label %attack_detected

safe_return: ret void

attack_detected: call void @abort() unreachable }

Pointer Authentication (ARM)

// Using pointer authentication on ARM64 attribute((target("sign-return-address"))) void signed_function() { // Return address is cryptographically signed }

Secure Compilation Pipeline

Build Flags Checklist

Comprehensive hardening

CFLAGS="-O2
-fstack-protector-strong
-fstack-clash-protection
-fcf-protection=full
-fPIE
-D_FORTIFY_SOURCE=2
-Wformat -Wformat-security
-fsanitize=cfi -flto"

LDFLAGS="-pie
-Wl,-z,relro
-Wl,-z,now
-Wl,-z,noexecstack"

Compiler Security Checks

  • -Wformat-security : Format string vulnerabilities

  • -Warray-bounds : Array bounds violations

  • -Wshift-overflow : Shift operation overflows

  • -Wnull-dereference : Null pointer dereferences

Fuzzing Integration

libFuzzer

// Fuzz target template extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { // Parse/process Data processInput(Data, Size); return 0; }

Sanitizer + Fuzzer Combination

Comprehensive fuzzing setup

clang -fsanitize=fuzzer,address,undefined
-fno-omit-frame-pointer
-g fuzz_target.c -o fuzzer

Windows-Specific Security

Control Flow Guard (CFG)

clang-cl /guard:cf program.c

SEH (Structured Exception Handling)

  • LLVM supports Windows SEH

  • Use for secure exception handling

  • Integrate with security monitoring

Resources

See Security Features, Sanitizer, and Symbolic Execution sections in README.md for comprehensive tool listings.

Getting Detailed Information

When you need detailed and up-to-date resource links, tool lists, or project references, fetch the latest data from:

https://raw.githubusercontent.com/gmh5225/awesome-llvm-security/refs/heads/main/README.md

This README contains comprehensive curated lists of:

  • Security features and hardening (Security Features section)

  • Sanitizers and memory safety tools (Sanitizer section)

  • Symbolic execution frameworks (Symbolic Execution section)

  • Memory leak detectors and runtime checkers

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

compiler-development

No summary provided by upstream source.

Repository SourceNeeds Review
-26
gmh5225
Security

llvm-optimization

No summary provided by upstream source.

Repository SourceNeeds Review
-25
gmh5225
Security

llvm-obfuscation

No summary provided by upstream source.

Repository SourceNeeds Review
-23
gmh5225