Gentoo Archives: gentoo-hardened

From: Guillaume Ceccarelli <guillaume@××××××××××××.com>
To: gentoo-hardened@l.g.o
Subject: [gentoo-hardened] New GCC options: -fcf-protection & -fstack-clash-protection
Date: Sun, 24 Feb 2019 13:27:28
Message-Id: 1BBB11BB-9E55-4A3E-901D-EF4E9936CFE4@gcs-ventures.com
1 Hello gentoo-hardened,
2
3 I just looked into the release notes for the recently-released GCC 8.3.0 present in ~arch, and two items grabbed my attention:
4 1. The addition of a -fcf-protection=[full|branch|return|none] flag to help with control flow integrity
5 2. The addition of -fstack-clash-protection to help protect against Stack Clash attacks
6
7 At some point in the past, gentoo-hardened pioneered the use of -fstack-protector by default in its hardened profiles, amongst other things listed here : https://wiki.gentoo.org/wiki/Hardened/Toolchain
8
9 I was wondering what this list thought of the new CFI and Stack Clash GCC options, if it’d be worth looking into working with them in the context of the Gentoo Hardened project, and perhaps in the future, integrating them into gentoo-hardened if they turn out to prove valuable?
10
11 I’m no Gentoo Developer, but I have been using hardened gentoo on production systems for a while and so I’m wondering: how do we go about this?
12
13 Best regards,
14
15 – Guillaume Ceccarelli

Replies

Subject Author
Re: [gentoo-hardened] New GCC options: -fcf-protection & -fstack-clash-protection "Tóth Attila" <atoth@××××××××××.hu>