Mailing List Archive

New GCC options: -fcf-protection & -fstack-clash-protection
Hello gentoo-hardened,

I just looked into the release notes for the recently-released GCC 8.3.0 present in ~arch, and two items grabbed my attention:
1. The addition of a -fcf-protection=[full|branch|return|none] flag to help with control flow integrity
2. The addition of -fstack-clash-protection to help protect against Stack Clash attacks

At some point in the past, gentoo-hardened pioneered the use of -fstack-protector by default in its hardened profiles, amongst other things listed here : https://wiki.gentoo.org/wiki/Hardened/Toolchain

I was wondering what this list thought of the new CFI and Stack Clash GCC options, if it’d be worth looking into working with them in the context of the Gentoo Hardened project, and perhaps in the future, integrating them into gentoo-hardened if they turn out to prove valuable?

I’m no Gentoo Developer, but I have been using hardened gentoo on production systems for a while and so I’m wondering: how do we go about this?

Best regards,

– Guillaume Ceccarelli
Re: New GCC options: -fcf-protection & -fstack-clash-protection [ In reply to ]
Dear Guillaume,

I'm not a Gentoo Dev either.

If there's a place to promote useful gcc flags from their security aspect,
Gentoo Hardened is a good place to become a leader of such efforts - like
it happened in the past.

1. Regarding fcf-protection:
"Currently the x86 GNU/Linux target provides an implementation based on
Intel Control-flow Enforcement Technology (CET)."
- anybody knows which Intel processor actually supports that since its
announcement in 2016?
- also it worth to take a look at on these comments by Spender @ grsecurity:
https://grsecurity.net/effectiveness_of_intel_cet_against_code_reuse_attacks.php
It would be good if hardware developers would discuss their plans with
more security experts before they put something into production.

2. Regarding stack-clash
"Most targets do not fully support stack clash protection."
- some information would be helpful to elaborate a little bit more on "not
fully" and exactly which targets we are talking about. Anybody has a more
detailed documentation?

Best regards:
Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2019.Február 24.(V) 14:27 id?pontban Guillaume Ceccarelli ezt írta:
> Hello gentoo-hardened,
>
> I just looked into the release notes for the recently-released GCC 8.3.0
> present in ~arch, and two items grabbed my attention:
> 1. The addition of a -fcf-protection=[full|branch|return|none] flag to
> help with control flow integrity
> 2. The addition of -fstack-clash-protection to help protect against Stack
> Clash attacks
>
> At some point in the past, gentoo-hardened pioneered the use of
> -fstack-protector by default in its hardened profiles, amongst other
> things listed here : https://wiki.gentoo.org/wiki/Hardened/Toolchain
>
> I was wondering what this list thought of the new CFI and Stack Clash GCC
> options, if it’d be worth looking into working with them in the context of
> the Gentoo Hardened project, and perhaps in the future, integrating them
> into gentoo-hardened if they turn out to prove valuable?
>
> I’m no Gentoo Developer, but I have been using hardened gentoo on
> production systems for a while and so I’m wondering: how do we go about
> this?
>
> Best regards,
>
> – Guillaume Ceccarelli
>
Re: New GCC options: -fcf-protection & -fstack-clash-protection [ In reply to ]
It's would be feasible to include Grsec RAP gcc plugin in gentoo hardened?

I think it would be a better alternative than fcf-protection does


On 24/02/19 16:16, "Tóth Attila" wrote:
> Dear Guillaume,
>
> I'm not a Gentoo Dev either.
>
> If there's a place to promote useful gcc flags from their security aspect,
> Gentoo Hardened is a good place to become a leader of such efforts - like
> it happened in the past.
>
> 1. Regarding fcf-protection:
> "Currently the x86 GNU/Linux target provides an implementation based on
> Intel Control-flow Enforcement Technology (CET)."
> - anybody knows which Intel processor actually supports that since its
> announcement in 2016?
> - also it worth to take a look at on these comments by Spender @ grsecurity:
> https://grsecurity.net/effectiveness_of_intel_cet_against_code_reuse_attacks.php
> It would be good if hardware developers would discuss their plans with
> more security experts before they put something into production.
>
> 2. Regarding stack-clash
> "Most targets do not fully support stack clash protection."
> - some information would be helpful to elaborate a little bit more on "not
> fully" and exactly which targets we are talking about. Anybody has a more
> detailed documentation?
>
> Best regards:
> Dw.
>
Re: New GCC options: -fcf-protection & -fstack-clash-protection [ In reply to ]
I'm not a lawyer either, but it's not legal to copy RAP, especially since
the great crisis. It's trademarked and protected. It's a pity some
companies abused the goodwill of the developers and misused grsec
technologies in the past.
Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2019.Február 24.(V) 19:18 id?pontban Javier Juan Martinez Cabezon ezt írta:
>
> It's would be feasible to include Grsec RAP gcc plugin in gentoo hardened?
>
> I think it would be a better alternative than fcf-protection does
>
>
> On 24/02/19 16:16, "Tóth Attila" wrote:
>> Dear Guillaume,
>>
>> I'm not a Gentoo Dev either.
>>
>> If there's a place to promote useful gcc flags from their security
>> aspect,
>> Gentoo Hardened is a good place to become a leader of such efforts -
>> like
>> it happened in the past.
>>
>> 1. Regarding fcf-protection:
>> "Currently the x86 GNU/Linux target provides an implementation based on
>> Intel Control-flow Enforcement Technology (CET)."
>> - anybody knows which Intel processor actually supports that since its
>> announcement in 2016?
>> - also it worth to take a look at on these comments by Spender @
>> grsecurity:
>> https://grsecurity.net/effectiveness_of_intel_cet_against_code_reuse_attacks.php
>> It would be good if hardware developers would discuss their plans with
>> more security experts before they put something into production.
>>
>> 2. Regarding stack-clash
>> "Most targets do not fully support stack clash protection."
>> - some information would be helpful to elaborate a little bit more on
>> "not
>> fully" and exactly which targets we are talking about. Anybody has a
>> more
>> detailed documentation?
>>
>> Best regards:
>> Dw.
>>
>
>
Re: New GCC options: -fcf-protection & -fstack-clash-protection [ In reply to ]
On including RAP: it would be great, but RAP is a commercial product : while it’s probably possible to enable its use in Gentoo for people who are customers of Open Source Security’s (assuming one of the customers for RAP is also a member of the gentoo-hardened project or can become one, so that the integration is maintained over time), including RAP in Gentoo per se will not work.

Regarding fcf-protection, good catch: while I initially read the "Currently the x86 GNU/Linux target provides an implementation based on Intel Control-flow Enforcement Technology (CET)” bit in the GCC documentation, I didn’t catch initially that it required hardware support. After looking into it further, it doesn’t seem that Intel has any processor on the market with this technology yet. Effectively, that means no one can take advantage of this at this time, unless they’re Intel.

Regarding stack-clash: Looking at GCC’s source code, it seems to be limited to arches where the stack grows downwards, which includes major arches such as i386 (w/ amd64 too), arm and powerpc. This is further confirmed by looking into GCC’s test suite.
References:
* https://github.com/gcc-mirror/gcc/blob/gcc-8-branch/gcc/toplev.c#L1685
* https://github.com/gcc-mirror/gcc/blob/gcc-8-branch/gcc/testsuite/lib/target-supports.exp#L9236-L9249


Best,

– Guillaume Ceccarelli

> On Feb 24, 2019, at 19:56, Tóth Attila <atoth@atoth.sote.hu> wrote:
>
> I'm not a lawyer either, but it's not legal to copy RAP, especially since
> the great crisis. It's trademarked and protected. It's a pity some
> companies abused the goodwill of the developers and misused grsec
> technologies in the past.
> Dw.
> --
> dr Tóth Attila, Radiológus, 06-20-825-8057
> Attila Toth MD, Radiologist, +36-20-825-8057
>
> 2019.Február 24.(V) 19:18 id?pontban Javier Juan Martinez Cabezon ezt írta:
>>
>> It's would be feasible to include Grsec RAP gcc plugin in gentoo hardened?
>>
>> I think it would be a better alternative than fcf-protection does
>>
>>
>> On 24/02/19 16:16, "Tóth Attila" wrote:
>>> Dear Guillaume,
>>>
>>> I'm not a Gentoo Dev either.
>>>
>>> If there's a place to promote useful gcc flags from their security
>>> aspect,
>>> Gentoo Hardened is a good place to become a leader of such efforts -
>>> like
>>> it happened in the past.
>>>
>>> 1. Regarding fcf-protection:
>>> "Currently the x86 GNU/Linux target provides an implementation based on
>>> Intel Control-flow Enforcement Technology (CET)."
>>> - anybody knows which Intel processor actually supports that since its
>>> announcement in 2016?
>>> - also it worth to take a look at on these comments by Spender @
>>> grsecurity:
>>> https://grsecurity.net/effectiveness_of_intel_cet_against_code_reuse_attacks.php
>>> It would be good if hardware developers would discuss their plans with
>>> more security experts before they put something into production.
>>>
>>> 2. Regarding stack-clash
>>> "Most targets do not fully support stack clash protection."
>>> - some information would be helpful to elaborate a little bit more on
>>> "not
>>> fully" and exactly which targets we are talking about. Anybody has a
>>> more
>>> detailed documentation?
>>>
>>> Best regards:
>>> Dw.
>>>
>>
>>
>
>
>