Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 9 Sep 2018 14:24:13 -0400
From: Boris Lukashev <blukashev@...pervictus.com>
To: "Theodore Y. Ts'o" <tytso@....edu>
Cc: Greg KH <greg@...ah.com>, Sandy Harris <sandyinchina@...il.com>, 
	kernel-hardening <kernel-hardening@...ts.openwall.com>
Subject: Re: Checked C?

Quick glance over the paper describes type and bounds checks
attempting to make access safer at compile and runtime via new
syntax... The caveat of "The safety provided by checked pointers can
be thwarted by unsafe operations, such as writes to traditional
pointers" leads to some immediate coverage concerns.
Doesn't grsecurity/PaX already do things like this with GCC plugins?
My understanding is that analogous functionality is available with
GCC, and wouldn't require adopting MSFT's take on "how C should be" in
Linux.
If the kernel is to move to Clang (which seems to be a direction which
Google and others are going), then implementing LLVM passes to do such
things may not require explicit syntax to declare these pointers, but
more likely exceptions to default use of safe types.

-Boris

On Sun, Sep 9, 2018 at 12:56 PM, Theodore Y. Ts'o <tytso@....edu> wrote:
> On Sun, Sep 09, 2018 at 02:59:12PM +0200, Greg KH wrote:
>> On Sun, Sep 09, 2018 at 08:22:44AM -0400, Sandy Harris wrote:
>> > Slashdot reports that Microsoft have come up with something they call
>> > "checked C". It claims to prevent a wide variety of memory & pointer
>> > bugs, using a mix of compile-time and run-time checks, at moderate
>> > overheads.
>> >
>> > Implementation is as extensions to Clang so it might be hard to apply
>> > to the kernel which I think has some GNU-isms. Perhaps still worth a
>> > look?
>
> What would be really interesting would be implementing the Microsoft
> extensions as Clang plugins, so the kernel changes don't require
> distributions to ship a modified Clang.
>
> Whoever does this will need to remember that kernel modifications need
> to work with:
>
>    * Clang with the extensions
>
>    * Clang without the extensions (in case the extensions are Clang
>      version dependent, and the system has a Clang which is too old).
>
>    * Gcc without the extensions
>
> We've been doing that sort of thing already, using CPP magic, so there
> are plenty of examples about ways of doing that.
>
>                                         - Ted



-- 
Boris Lukashev
Systems Architect
Semper Victus

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.