cmd/compile: add control flow integrity options

[wasker]

A lot of tooling produced with golang is used in very security sensitive environments and consumers of such products rely on underlying platform features for preventing exploits in environments like that.

Windows 8+ supports executable hardening with Control Flow Guard feature. That'd be great if golang compiler and linker would add support for this feature in the future.

Additional keywords: IMAGE_DLLCHARACTERISTICS_GUARD_CF, CFG.

[ianlancetaylor]

Note that this idea is not Windows specific. The clang compiler offers a similar feature with the -fsanitize=cfi option: http://clang.llvm.org/docs/ControlFlowIntegrity.html.

Note also that this primarily protects against buffer overflows or use-after-free errors, but that these memory errors are already impossible in Go. It's not clear that this optimization is really worth implementing in the Go compiler. What sort of attacks do you think it would prevent?

[wasker]

Ian, thanks for prompt response!

Unfortunately, I'm out of my depth when it comes to security questions you've raised. Our company's compliance folks raised this issue for Helm binaries that we're using. My investigation of mitigation options brought me to the conclusion that compiler support is missing for enabling CFG.

There's a good chance that you're correct and the attack vectors you're referring to are impossible in Golang, and there's nothing else CFG is useful for. If this is an official triage conclusion of Golang team, this should satisfy compliance folks.

[ianlancetaylor]

Thanks. Since this seems to only prevent against attacks that are Go already prevents, I will close this. But if anybody wants to suggest a reason to implement these security checks in Go, please don't hesitate to speak up.