Sep 20 – 24, 2021
US/Pacific timezone

Compiler Features for Kernel Security

Sep 24, 2021, 10:05 AM
Microconference1/Virtual-Room (LPC Virtual)


LPC Virtual

Toolchains and Kernel MC Toolchains and Kernel MC


Kees Cook (Google) Qing Zhao


GCC and Clang both have a variety of security features available, but they are not always at parity with each other. This discussion will review the security features important to the Linux kernel with regard to what's working, what's missing, and what needs adjustment.

Specifically, these areas will be discussed along with anything else that seems relevant:

  • stack protector guard location (i.e. enabling per-task canaries)

  • call-used register zeroing (now in GCC 11)

  • stack variable auto-initialization (already in Clang, soon to be in GCC 12)

  • array bounds checking

  • integer overflow protection

  • Link Time Optimization

  • backward edge Control Flow Integrity

  • forward edge Control Flow Integrity

  • Spectre v1 mitigation

  • structure layout randomization

  • constant expression for "is an lvalue?"

  • constant expression for lvalue type extraction
I agree to abide by the anti-harassment policy I agree

Primary authors

Kees Cook (Google) Qing Zhao

Presentation materials

Diamond Sponsor

Platinum Sponsor

Gold Sponsors

Silver Sponsors

Speaker Gift Sponsor

T-Shirt Sponsor

Conference Services provided by