Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/compile: add control flow integrity options #35940

Closed
wasker opened this issue Dec 2, 2019 · 3 comments

Comments

@wasker
Copy link

@wasker wasker commented Dec 2, 2019

A lot of tooling produced with golang is used in very security sensitive environments and consumers of such products rely on underlying platform features for preventing exploits in environments like that.

Windows 8+ supports executable hardening with Control Flow Guard feature. That'd be great if golang compiler and linker would add support for this feature in the future.

Additional keywords: IMAGE_DLLCHARACTERISTICS_GUARD_CF, CFG.

@wasker wasker changed the title Make use of Control Flow Guard feature on Windows proposal: Make use of Control Flow Guard feature on Windows Dec 2, 2019
@gopherbot gopherbot added this to the Proposal milestone Dec 2, 2019
@gopherbot gopherbot added the Proposal label Dec 2, 2019
@ianlancetaylor

This comment has been minimized.

Copy link
Contributor

@ianlancetaylor ianlancetaylor commented Dec 2, 2019

Note that this idea is not Windows specific. The clang compiler offers a similar feature with the -fsanitize=cfi option: http://clang.llvm.org/docs/ControlFlowIntegrity.html.

Note also that this primarily protects against buffer overflows or use-after-free errors, but that these memory errors are already impossible in Go. It's not clear that this optimization is really worth implementing in the Go compiler. What sort of attacks do you think it would prevent?

@ianlancetaylor ianlancetaylor changed the title proposal: Make use of Control Flow Guard feature on Windows cmd/compile: add control flow integrity options Dec 2, 2019
@ianlancetaylor ianlancetaylor modified the milestones: Proposal, Unplanned Dec 2, 2019
@wasker

This comment has been minimized.

Copy link
Author

@wasker wasker commented Dec 3, 2019

Ian, thanks for prompt response!

Unfortunately, I'm out of my depth when it comes to security questions you've raised. Our company's compliance folks raised this issue for Helm binaries that we're using. My investigation of mitigation options brought me to the conclusion that compiler support is missing for enabling CFG.

There's a good chance that you're correct and the attack vectors you're referring to are impossible in Golang, and there's nothing else CFG is useful for. If this is an official triage conclusion of Golang team, this should satisfy compliance folks.

@ianlancetaylor

This comment has been minimized.

Copy link
Contributor

@ianlancetaylor ianlancetaylor commented Dec 3, 2019

Thanks. Since this seems to only prevent against attacks that are Go already prevents, I will close this. But if anybody wants to suggest a reason to implement these security checks in Go, please don't hesitate to speak up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.