Control Flow Integrity #3810
Comments
defuse
added
I-SECURITY
|
Microsoft CFG seems inapplicable unless the code is compiled with MSVC, which we don't support, and I think we're unlikely to support. We do support compiling with clang, at least for Thread/Address Sanitizer builds. (I don't know whether those still require a patch, but if so it wouldn't be difficult to fix.) |
|
Note that according to https://llvm.org/docs/GoldPlugin.html you need to enable the Gold linker when compiling, using If I understand correctly, as long as we still dynamically link to the system libc, this won't prevent return-to-libc attacks, and similarly for libstdc++ and other dynamically linked system libraries (see #2513). |
|
It looks like we have to solve #2513 first in order for the cfi-mfcall check to work:
because libstdc++ will contain such virtual member functions. |
|
We can still enable the other checks though, right? |
Right, but ASLR puts standard libraries at random locations, making ret-to-libc harder. In general the incompleteness of one mitigation technology shouldn't remove it from our consideration. All of them are incomplete, we should consider them and their effect as a set, and one that we improve over time. |
|
I think you just need LTO, which I think has been available for a while. It looks like the gold recommendation was just a suggestion. In general though, I think users who build zcashd without a given security option because it's unavailable for some reason on their platform should have to explicitly disable that, and the build should fail if they don't disable something that isn't available on their platform. |
mms710
moved this from Bugs/TechDebt Backlog
to Security Issue Backlog
in Arborist Team
Control Flow Integrity (CFI) is an approach to mitigating code-reuse attacks (e.g. ROP). In this ticket, evaluate the CFI options that are available and see if any would be beneficial to
zcashd. A quick search returns:The text was updated successfully, but these errors were encountered: