Re: [gentoo-hardened] New GCC options: -fcf-protection & -fstack-clash-protection

[Guillaume Ceccarelli <guillaume@gcs-ventures.com>]

On including RAP: it would be great, but RAP is a commercial product : while it’s probably possible to enable its use in Gentoo for people who are customers of Open Source Security’s (assuming one of the customers for RAP is also a member of the gentoo-hardened project or can become one, so that the integration is maintained over time), including RAP in Gentoo per se will not work.

Regarding fcf-protection, good catch: while I initially read the "Currently the x86 GNU/Linux target provides an implementation based on Intel Control-flow Enforcement Technology (CET)” bit in the GCC documentation, I didn’t catch initially that it required hardware support. After looking into it further, it doesn’t seem that Intel has any processor on the market with this technology yet. Effectively, that means no one can take advantage of this at this time, unless they’re Intel.

Regarding stack-clash: Looking at GCC’s source code, it seems to be limited to arches where the stack grows downwards, which includes major arches such as i386 (w/ amd64 too), arm and powerpc. This is further confirmed by looking into GCC’s test suite.
References:
* https://github.com/gcc-mirror/gcc/blob/gcc-8-branch/gcc/toplev.c#L1685 
* https://github.com/gcc-mirror/gcc/blob/gcc-8-branch/gcc/testsuite/lib/target-supports.exp#L9236-L9249


Best,

– Guillaume Ceccarelli

> On Feb 24, 2019, at 19:56, Tóth Attila <atoth@atoth.sote.hu> wrote:
> 
> I'm not a lawyer either, but it's not legal to copy RAP, especially since
> the great crisis. It's trademarked and protected. It's a pity some
> companies abused the goodwill of the developers and misused grsec
> technologies in the past.
> Dw.
> -- 
> dr Tóth Attila, Radiológus, 06-20-825-8057
> Attila Toth MD, Radiologist, +36-20-825-8057
> 
> 2019.Február 24.(V) 19:18 időpontban Javier Juan Martinez Cabezon ezt írta:
>> 
>> It's would be feasible to include Grsec RAP gcc plugin in gentoo hardened?
>> 
>> I think it would be a better alternative  than fcf-protection does
>> 
>> 
>> On 24/02/19 16:16, "Tóth Attila" wrote:
>>> Dear Guillaume,
>>> 
>>> I'm not a Gentoo Dev either.
>>> 
>>> If there's a place to promote useful gcc flags from their security
>>> aspect,
>>> Gentoo Hardened is a good place to become a leader of such efforts -
>>> like
>>> it happened in the past.
>>> 
>>> 1. Regarding fcf-protection:
>>> "Currently the x86 GNU/Linux target provides an implementation based on
>>> Intel Control-flow Enforcement Technology (CET)."
>>> - anybody knows which Intel processor actually supports that since its
>>> announcement in 2016?
>>> - also it worth to take a look at on these comments by Spender @
>>> grsecurity:
>>> https://grsecurity.net/effectiveness_of_intel_cet_against_code_reuse_attacks.php
>>> It would be good if hardware developers would discuss their plans with
>>> more security experts before they put something into production.
>>> 
>>> 2. Regarding stack-clash
>>> "Most targets do not fully support stack clash protection."
>>> - some information would be helpful to elaborate a little bit more on
>>> "not
>>> fully" and exactly which targets we are talking about. Anybody has a
>>> more
>>> detailed documentation?
>>> 
>>> Best regards:
>>> Dw.
>>> 
>> 
>> 
> 
> 
>