Hello gentoo-hardened,
I just looked into the release notes for the recently-released GCC 8.3.0 present in ~arch, and two items grabbed my attention:
1. The addition of a -fcf-protection=[full|branch|return|none] flag to help with control flow integrity
2. The addition of -fstack-clash-protection to help protect against Stack Clash attacks
At some point in the past, gentoo-hardened pioneered the use of -fstack-protector by default in its hardened profiles, amongst other things listed here : https://wiki.gentoo.org/wiki/Hardened/Toolchain
I was wondering what this list thought of the new CFI and Stack Clash GCC options, if it’d be worth looking into working with them in the context of the Gentoo Hardened project, and perhaps in the future, integrating them into gentoo-hardened if they turn out to prove valuable?
I’m no Gentoo Developer, but I have been using hardened gentoo on production systems for a while and so I’m wondering: how do we go about this?
Best regards,
– Guillaume Ceccarelli
I just looked into the release notes for the recently-released GCC 8.3.0 present in ~arch, and two items grabbed my attention:
1. The addition of a -fcf-protection=[full|branch|return|none] flag to help with control flow integrity
2. The addition of -fstack-clash-protection to help protect against Stack Clash attacks
At some point in the past, gentoo-hardened pioneered the use of -fstack-protector by default in its hardened profiles, amongst other things listed here : https://wiki.gentoo.org/wiki/Hardened/Toolchain
I was wondering what this list thought of the new CFI and Stack Clash GCC options, if it’d be worth looking into working with them in the context of the Gentoo Hardened project, and perhaps in the future, integrating them into gentoo-hardened if they turn out to prove valuable?
I’m no Gentoo Developer, but I have been using hardened gentoo on production systems for a while and so I’m wondering: how do we go about this?
Best regards,
– Guillaume Ceccarelli