Stream: wg-secure-code

Topic: mitigations

snf (Nov 01 2018 at 17:38, on Zulip):

Was there any dicussion about mitigations (specifically Control Flow Enforcement)?
I've been talking to product teams here and, because of the slow adoption, these teams would start with linking Rust components with C/C++ ones. The problem now is that Rust doesn't support CFE so any binary which includes Rust code will have weakened mitigations.

Joshua Liebow-Feeser (Nov 01 2018 at 17:40, on Zulip):

We explicitly decided to leave it out of our mission and instead focus on language-level safety, but I'm sure nobody would mind if you wanted to work on it!

snf (Nov 01 2018 at 17:54, on Zulip):

Actually that's the idea, but I wanted to know if there were any discussions about it. Thanks.

Joshua Liebow-Feeser (Nov 01 2018 at 18:14, on Zulip):


Alex Gaynor (Nov 01 2018 at 18:17, on Zulip):

You're thinking about LLVM's CFI specifically?

snf (Nov 02 2018 at 14:50, on Zulip):

Actually I'm thinking in Windows CFI because that's my main interest and make it Visual C++ compatible. LLVM's CFI uses Intel's one which hasn't been realeased yet. Last time I checked, Clang didn't rely on LLVM's CFI neither.

Alex Gaynor (Nov 02 2018 at 15:13, on Zulip):

Err, that's not correct; LLVM's CFI is entirely software based, and it's what clang's -fsanitize=cfi uses. And Windows CFG requires you to compile with MSVC to have jumps in your code protected, so I don't think that's an option (you can just use a linker flag if all you need is for Rust functions to be valid CFG call targets)

snf (Nov 05 2018 at 10:26, on Zulip):

Oops, you are right about LLVM, haven't touched it in years and only saw the recent HW implementation only.
However, what I'm talking about is modifying rustc and LLVM to emit information for MSVC's linker to generate fully protected binaries. I guess that mainstreaming changes like this will be challenging though.

Alex Gaynor (Nov 05 2018 at 13:54, on Zulip):

It seems that there's two steps: a) just enabling CFG at the linker, which should just be a flag, b) actually doing the codegen for checking the valid jump targets. For (b) you probably want LLVM's CFI, not CFG (at least for fully statically linked binaries).

Last update: Apr 04 2020 at 04:10UTC