1 |
On Sat, Apr 08, 2017 at 12:39:28PM +0200, Hanno Böck wrote: |
2 |
> Control Flow Integrity is a new set of exploit mitigations (strictly |
3 |
> speaking, there is not "the CFI", but many variants). LLVM/clang has |
4 |
> support for some form of CFI since a while. The rough idea is that it |
5 |
> adds additional checks to the code to avoid jumps to code pieces that |
6 |
> shouldn't happen. |
7 |
> |
8 |
> I'm wondering if there's interest in creating a gentoo-hardened-cfi |
9 |
> variant. I've been playing with it a bit. By setting the right |
10 |
> cc/cflags/etc. variables it's relatively straightforward to compile |
11 |
> single packages with cfi. |
12 |
> |
13 |
> However when one tries to recompile packages a lot of errors show up. |
14 |
> Most of them aren't directly related to CFI (though some are). CFI |
15 |
> depends on: |
16 |
> * clang, which is not our default (there has been work in the past for |
17 |
> gentoo with clang). |
18 |
> * fvisibility=hidden. This was afair discussed a while back, but never |
19 |
> considered to be enabled in general, only for specific packages. |
20 |
> * link time optimization/lto and thus the gold linker, because the |
21 |
> "classic" ld doesn't support lto. |
22 |
> Many issues that pop up seem like issues to build systems and linking. |
23 |
> In some cases though one needs to fix function pointer definitions that |
24 |
> don't match their respective functions. (Here's a fix [1] that I sent |
25 |
> to curl and that'll be applied in the next version.) |
26 |
> |
27 |
> For now I'm just investigating whether there's interest in this. I |
28 |
> could create some docs in the wiki on how to get started. |
29 |
> |
30 |
> [1] |
31 |
> https://github.com/curl/curl/commit/aced311d189a70c7d9b2d958739bcfc1231b3698 |
32 |
|
33 |
I'm definitely interested in seeing CFI solution(s) within Gentoo Hardened. |
34 |
Your last suggestion (to start off with some docs in the wiki) would indeed |
35 |
be the best start, allowing others to chime in when needed and extend. |
36 |
|
37 |
Wkr, |
38 |
Sven Vermeulen |