13–15 Nov 2023
America/New_York timezone

Security Features status update

13 Nov 2023, 09:30
50m
"Magnolia" (Omni Richmond Hotel)

"Magnolia"

Omni Richmond Hotel

187
Toolchains Track Toolchains

Speakers

Kees Cook (Google) Qing Zhao Bill Wendling (Google)

Description

There has been tons of work across both GCC and Clang to provide the Linux kernel with a variety of security features. Let's review and discuss where we are with parity between toolchains, approaches to solving open problems, and exploring new features.

Parity reached since last year:

  • -fstrict-flex-arrays=3
  • -fsanitize=bounds
  • __builtin_dynamic_object_size()
  • arm64 Shadow Call Stack (backward edge CFI)

In progress:

  • __counted_by(member) attribute for bounded Flexible Array Members

Needs work/discussion:

  • -fbounds-safety language extension proposal
  • handling nested structures ending in a Flexible Array Member (Clang)
  • language extension to support Flexible Array Member in Unions
  • arbitrary stack protector guard location (Clang: risc-v, powerpc)
  • Link Time Optimization (Kernel support for GCC)
  • forward edge CFI (GCC: KCFI)
  • backward edge CFI (Kernel support for CET)
  • arithmetic overflow protection (GCC & Clang)
  • -Warray-bounds false positives (GCC)

Primary authors

Presentation materials

Diamond Sponsors
Platinum Sponsor
Gold Sponsors
Silver Sponsors
Catchbox Sponsor
Livestream Sponsors
T-Shirt Sponsor
Conference Services Provided by