Gentoo Archives: gentoo-hardened

From: "Tóth Attila" <atoth@××××××××××.hu>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] New GCC options: -fcf-protection & -fstack-clash-protection
Date: Sun, 24 Feb 2019 15:17:09
Message-Id: 8dfc7b7cdc607e3ecfc1d2a659d38fc5.squirrel@atoth.sote.hu
In Reply to: [gentoo-hardened] New GCC options: -fcf-protection & -fstack-clash-protection by Guillaume Ceccarelli
1 Dear Guillaume,
2
3 I'm not a Gentoo Dev either.
4
5 If there's a place to promote useful gcc flags from their security aspect,
6 Gentoo Hardened is a good place to become a leader of such efforts - like
7 it happened in the past.
8
9 1. Regarding fcf-protection:
10 "Currently the x86 GNU/Linux target provides an implementation based on
11 Intel Control-flow Enforcement Technology (CET)."
12 - anybody knows which Intel processor actually supports that since its
13 announcement in 2016?
14 - also it worth to take a look at on these comments by Spender @ grsecurity:
15 https://grsecurity.net/effectiveness_of_intel_cet_against_code_reuse_attacks.php
16 It would be good if hardware developers would discuss their plans with
17 more security experts before they put something into production.
18
19 2. Regarding stack-clash
20 "Most targets do not fully support stack clash protection."
21 - some information would be helpful to elaborate a little bit more on "not
22 fully" and exactly which targets we are talking about. Anybody has a more
23 detailed documentation?
24
25 Best regards:
26 Dw.
27 --
28 dr Tóth Attila, Radiológus, 06-20-825-8057
29 Attila Toth MD, Radiologist, +36-20-825-8057
30
31 2019.Február 24.(V) 14:27 időpontban Guillaume Ceccarelli ezt írta:
32 > Hello gentoo-hardened,
33 >
34 > I just looked into the release notes for the recently-released GCC 8.3.0
35 > present in ~arch, and two items grabbed my attention:
36 > 1. The addition of a -fcf-protection=[full|branch|return|none] flag to
37 > help with control flow integrity
38 > 2. The addition of -fstack-clash-protection to help protect against Stack
39 > Clash attacks
40 >
41 > At some point in the past, gentoo-hardened pioneered the use of
42 > -fstack-protector by default in its hardened profiles, amongst other
43 > things listed here : https://wiki.gentoo.org/wiki/Hardened/Toolchain
44 >
45 > I was wondering what this list thought of the new CFI and Stack Clash GCC
46 > options, if it’d be worth looking into working with them in the context of
47 > the Gentoo Hardened project, and perhaps in the future, integrating them
48 > into gentoo-hardened if they turn out to prove valuable?
49 >
50 > I’m no Gentoo Developer, but I have been using hardened gentoo on
51 > production systems for a while and so I’m wondering: how do we go about
52 > this?
53 >
54 > Best regards,
55 >
56 > – Guillaume Ceccarelli
57 >

Replies

Subject Author
Re: [gentoo-hardened] New GCC options: -fcf-protection & -fstack-clash-protection Javier Juan Martinez Cabezon <tazok.id0@×××××.com>