GCC's new fortification level: The gains and costs
GCC introduces _FORTIFY_SOURCE=3 for enhanced security by detecting buffer overflows in C programs at runtime. This level offers precise object size estimates, improving fortification coverage and revealing more issues in glibc. Despite potential impacts, the security benefits outweigh costs, emphasizing the importance of fortification for application security.
Read original article
This article discusses the introduction of a new fortification level, _FORTIFY_SOURCE=3, in GCC to enhance security by detecting buffer overflows and bugs in C programs at runtime. This new level offers improved buffer size detection through the __builtin_dynamic_object_size builtin, which provides precise object size estimates at execution time, leading to better fortification coverage compared to _FORTIFY_SOURCE=2. The implementation of _FORTIFY_SOURCE=3 in GCC has revealed more buffer overflow issues, including those in the GNU C library (glibc), prompting fixes and improvements in programming patterns. The increased fortification coverage has been demonstrated to significantly enhance security, with examples showing substantial improvements in fortification metrics for various applications. Despite potential impacts on code size and performance, the benefits of improved security coverage outweigh the costs associated with implementing _FORTIFY_SOURCE=3. This advancement underscores the ongoing importance of object size determination and fortification in enhancing application security and mitigating vulnerabilities.
Related
As you learn Forth, it learns from you (1981)
The Forth programming language is highlighted for its unique features like extensibility, speed, and efficiency. Contrasted with Basic, Forth's threaded code system and data handling methods make it versatile.
A buffer overflow in the XNU kernel
CVE-2024-27815 is a buffer overflow bug in XNU kernel affecting macOS, iOS, and visionOS. Apple swiftly released xnu-10063.121.3 to fix the issue, impacting kernels with CONFIG_MBUF_MCACHE. The bug allows attackers to trigger a crash by copying data beyond allocated space.
Memory sealing for the GNU C Library
The GNU C Library introduces mseal() system call for enhanced security by preventing address space changes. Adhemerval Zanella's patch series adds support, improving memory manipulation protection in upcoming releases.
Own Constant Folder in C/C++
Neil Henning discusses precision issues in clang when using the sqrtps intrinsic with -ffast-math, suggesting inline assembly for instruction selection. He introduces a workaround using __builtin_constant_p for constant folding optimization, enhancing code efficiency.
How GCC and Clang handle statically known undefined behaviour
Discussion on compilers handling statically known undefined behavior (UB) in C code reveals insights into optimizations. Compilers like gcc and clang optimize based on undefined language semantics, potentially crashing programs or ignoring problematic code. UB avoidance is crucial for program predictability and security. Compilers differ in handling UB, with gcc and clang showing variations in crash behavior and warnings. LLVM's 'poison' values allow optimizations despite UB, reflecting diverse compiler approaches. Compiler responses to UB are subjective, influenced by developers and user requirements.
13 comments> In this context, it is a bug in the application
This is a non-intuitive result by the normal lens C pointers are viewed by; these two pointers compared equal, how could using one differ from using the other? Pointer provenance rears its ugly head here though; one of those "pointers that have the same value"'s provenance is different to the other. By the standard, they _are_ allowed to be treated differently, and honestly the standard requires it.
https://www.ralfj.de/blog/2020/12/14/provenance.html is pretty accessible, and shockingly on point: "just because two pointers point to the same address, does not mean they are equal in the sense that they can be used interchangeably".
EDIT: spelling
Instead of fixing this, the developers behind the "dynamic object size" push have been changing the documentation to declare any use of `malloc_usable_size` buggy even though it used to be explicitly documented as safe.
I suspect that GCC's optimization passes will break even C-standard-compliant use of `realloc`, similar to how ASAN can break due to dynamic equality checks between pointers of different provenance.
Life would be much simpler for many of us if the standards committee bothered to standardize a function that says "give me a buffer of semi-arbitrary size and tell me how big it is; I promise to resize it later", which is very widely intended. An explicit "realloc in place only, else fail" would also make many more useful programs feasible to write.
The compiler's stack canaries were simple enough. The only issue was the ugly symbols. I requested that a feature be added to override the symbol generated by the compiler so I could use good names instead.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113694
Things like instrumentation and sanitizers though? No idea. Even asked about it on Stack Overflow and got no answers to this day.
https://stackoverflow.com/q/77688456
I assume these object sizing builtins make use of function attributes such as malloc, alloc_align and alloc_size. I've added all of those attributes to my memory allocator but I'm not quite sure if they're doing anything useful.
Again? There is a typo there. - programs + programmers
the new feature appeared in 2021
Related
As you learn Forth, it learns from you (1981)
The Forth programming language is highlighted for its unique features like extensibility, speed, and efficiency. Contrasted with Basic, Forth's threaded code system and data handling methods make it versatile.
A buffer overflow in the XNU kernel
CVE-2024-27815 is a buffer overflow bug in XNU kernel affecting macOS, iOS, and visionOS. Apple swiftly released xnu-10063.121.3 to fix the issue, impacting kernels with CONFIG_MBUF_MCACHE. The bug allows attackers to trigger a crash by copying data beyond allocated space.
Memory sealing for the GNU C Library
The GNU C Library introduces mseal() system call for enhanced security by preventing address space changes. Adhemerval Zanella's patch series adds support, improving memory manipulation protection in upcoming releases.
Own Constant Folder in C/C++
Neil Henning discusses precision issues in clang when using the sqrtps intrinsic with -ffast-math, suggesting inline assembly for instruction selection. He introduces a workaround using __builtin_constant_p for constant folding optimization, enhancing code efficiency.
How GCC and Clang handle statically known undefined behaviour
Discussion on compilers handling statically known undefined behavior (UB) in C code reveals insights into optimizations. Compilers like gcc and clang optimize based on undefined language semantics, potentially crashing programs or ignoring problematic code. UB avoidance is crucial for program predictability and security. Compilers differ in handling UB, with gcc and clang showing variations in crash behavior and warnings. LLVM's 'poison' values allow optimizations despite UB, reflecting diverse compiler approaches. Compiler responses to UB are subjective, influenced by developers and user requirements.