1 |
Dear Guillaume, |
2 |
|
3 |
I'm not a Gentoo Dev either. |
4 |
|
5 |
If there's a place to promote useful gcc flags from their security aspect, |
6 |
Gentoo Hardened is a good place to become a leader of such efforts - like |
7 |
it happened in the past. |
8 |
|
9 |
1. Regarding fcf-protection: |
10 |
"Currently the x86 GNU/Linux target provides an implementation based on |
11 |
Intel Control-flow Enforcement Technology (CET)." |
12 |
- anybody knows which Intel processor actually supports that since its |
13 |
announcement in 2016? |
14 |
- also it worth to take a look at on these comments by Spender @ grsecurity: |
15 |
https://grsecurity.net/effectiveness_of_intel_cet_against_code_reuse_attacks.php |
16 |
It would be good if hardware developers would discuss their plans with |
17 |
more security experts before they put something into production. |
18 |
|
19 |
2. Regarding stack-clash |
20 |
"Most targets do not fully support stack clash protection." |
21 |
- some information would be helpful to elaborate a little bit more on "not |
22 |
fully" and exactly which targets we are talking about. Anybody has a more |
23 |
detailed documentation? |
24 |
|
25 |
Best regards: |
26 |
Dw. |
27 |
-- |
28 |
dr Tóth Attila, Radiológus, 06-20-825-8057 |
29 |
Attila Toth MD, Radiologist, +36-20-825-8057 |
30 |
|
31 |
2019.Február 24.(V) 14:27 időpontban Guillaume Ceccarelli ezt írta: |
32 |
> Hello gentoo-hardened, |
33 |
> |
34 |
> I just looked into the release notes for the recently-released GCC 8.3.0 |
35 |
> present in ~arch, and two items grabbed my attention: |
36 |
> 1. The addition of a -fcf-protection=[full|branch|return|none] flag to |
37 |
> help with control flow integrity |
38 |
> 2. The addition of -fstack-clash-protection to help protect against Stack |
39 |
> Clash attacks |
40 |
> |
41 |
> At some point in the past, gentoo-hardened pioneered the use of |
42 |
> -fstack-protector by default in its hardened profiles, amongst other |
43 |
> things listed here : https://wiki.gentoo.org/wiki/Hardened/Toolchain |
44 |
> |
45 |
> I was wondering what this list thought of the new CFI and Stack Clash GCC |
46 |
> options, if it’d be worth looking into working with them in the context of |
47 |
> the Gentoo Hardened project, and perhaps in the future, integrating them |
48 |
> into gentoo-hardened if they turn out to prove valuable? |
49 |
> |
50 |
> I’m no Gentoo Developer, but I have been using hardened gentoo on |
51 |
> production systems for a while and so I’m wondering: how do we go about |
52 |
> this? |
53 |
> |
54 |
> Best regards, |
55 |
> |
56 |
> – Guillaume Ceccarelli |
57 |
> |