Re: [PATCH 05/15] x86: Implement function_nocfi
From: Joao Moreira
Date: Mon Apr 19 2021 - 12:44:49 EST
Why not? In particular, I'd really like somebody to answer the question
"why not just store a cookie before each address-taken or
external-linkage function?".
FWIIW, this was done before (at least twice): First with grsecurity/PaX
RAP (https://grsecurity.net/rap_faq) then with kCFI
(https://www.blackhat.com/docs/asia-17/materials/asia-17-Moreira-Drop-The-Rop-Fine-Grained-Control-Flow-Integrity-For-The-Linux-Kernel-wp.pdf,
https://github.com/kcfi/kcfi - which is no longer maintained).
At the time I worked on kCFI someone raised a concern regarding this
cookie-based design being mutually exclusive to execute-only memories
(XOM), what, if XOM is really relevant to someone, should be a valid
concern.
Since design is being questioned, an x86/CET-specific third design for
CFI was recently discussed here:
https://www.openwall.com/lists/kernel-hardening/2021/02/11/1 -- I assume
that, arch-dependency considered, this should be easier to integrate
when compared to clang-cfi. Also, given that it is based on CET, this
also has the benefit of constraining mispeculations (which is a nice
side-effect).
Tks, Joao