From: "\"Tóth Attila\"" <atoth@atoth.sote.hu>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] New GCC options: -fcf-protection & -fstack-clash-protection
Date: Sun, 24 Feb 2019 16:16:57 +0100 [thread overview]
Message-ID: <8dfc7b7cdc607e3ecfc1d2a659d38fc5.squirrel@atoth.sote.hu> (raw)
In-Reply-To: <1BBB11BB-9E55-4A3E-901D-EF4E9936CFE4@gcs-ventures.com>
Dear Guillaume,
I'm not a Gentoo Dev either.
If there's a place to promote useful gcc flags from their security aspect,
Gentoo Hardened is a good place to become a leader of such efforts - like
it happened in the past.
1. Regarding fcf-protection:
"Currently the x86 GNU/Linux target provides an implementation based on
Intel Control-flow Enforcement Technology (CET)."
- anybody knows which Intel processor actually supports that since its
announcement in 2016?
- also it worth to take a look at on these comments by Spender @ grsecurity:
https://grsecurity.net/effectiveness_of_intel_cet_against_code_reuse_attacks.php
It would be good if hardware developers would discuss their plans with
more security experts before they put something into production.
2. Regarding stack-clash
"Most targets do not fully support stack clash protection."
- some information would be helpful to elaborate a little bit more on "not
fully" and exactly which targets we are talking about. Anybody has a more
detailed documentation?
Best regards:
Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057
2019.Február 24.(V) 14:27 időpontban Guillaume Ceccarelli ezt írta:
> Hello gentoo-hardened,
>
> I just looked into the release notes for the recently-released GCC 8.3.0
> present in ~arch, and two items grabbed my attention:
> 1. The addition of a -fcf-protection=[full|branch|return|none] flag to
> help with control flow integrity
> 2. The addition of -fstack-clash-protection to help protect against Stack
> Clash attacks
>
> At some point in the past, gentoo-hardened pioneered the use of
> -fstack-protector by default in its hardened profiles, amongst other
> things listed here : https://wiki.gentoo.org/wiki/Hardened/Toolchain
>
> I was wondering what this list thought of the new CFI and Stack Clash GCC
> options, if it’d be worth looking into working with them in the context of
> the Gentoo Hardened project, and perhaps in the future, integrating them
> into gentoo-hardened if they turn out to prove valuable?
>
> I’m no Gentoo Developer, but I have been using hardened gentoo on
> production systems for a while and so I’m wondering: how do we go about
> this?
>
> Best regards,
>
> – Guillaume Ceccarelli
>
next prev parent reply other threads:[~2019-02-24 15:17 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-24 13:27 [gentoo-hardened] New GCC options: -fcf-protection & -fstack-clash-protection Guillaume Ceccarelli
2019-02-24 15:16 ` "Tóth Attila" [this message]
2019-02-24 18:18 ` Javier Juan Martinez Cabezon
2019-02-24 18:56 ` "Tóth Attila"
2019-02-24 19:11 ` Guillaume Ceccarelli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8dfc7b7cdc607e3ecfc1d2a659d38fc5.squirrel@atoth.sote.hu \
--to=atoth@atoth.sote.hu \
--cc=gentoo-hardened@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox