![]() |
|
Message-ID: <CAFUG7CeV6wTe7_7ZXcB7FCP5+O3-x41hDRAbSO12vw=O2DJ0AQ@mail.gmail.com> Date: Sun, 9 Sep 2018 14:24:13 -0400 From: Boris Lukashev <blukashev@...pervictus.com> To: "Theodore Y. Ts'o" <tytso@....edu> Cc: Greg KH <greg@...ah.com>, Sandy Harris <sandyinchina@...il.com>, kernel-hardening <kernel-hardening@...ts.openwall.com> Subject: Re: Checked C? Quick glance over the paper describes type and bounds checks attempting to make access safer at compile and runtime via new syntax... The caveat of "The safety provided by checked pointers can be thwarted by unsafe operations, such as writes to traditional pointers" leads to some immediate coverage concerns. Doesn't grsecurity/PaX already do things like this with GCC plugins? My understanding is that analogous functionality is available with GCC, and wouldn't require adopting MSFT's take on "how C should be" in Linux. If the kernel is to move to Clang (which seems to be a direction which Google and others are going), then implementing LLVM passes to do such things may not require explicit syntax to declare these pointers, but more likely exceptions to default use of safe types. -Boris On Sun, Sep 9, 2018 at 12:56 PM, Theodore Y. Ts'o <tytso@....edu> wrote: > On Sun, Sep 09, 2018 at 02:59:12PM +0200, Greg KH wrote: >> On Sun, Sep 09, 2018 at 08:22:44AM -0400, Sandy Harris wrote: >> > Slashdot reports that Microsoft have come up with something they call >> > "checked C". It claims to prevent a wide variety of memory & pointer >> > bugs, using a mix of compile-time and run-time checks, at moderate >> > overheads. >> > >> > Implementation is as extensions to Clang so it might be hard to apply >> > to the kernel which I think has some GNU-isms. Perhaps still worth a >> > look? > > What would be really interesting would be implementing the Microsoft > extensions as Clang plugins, so the kernel changes don't require > distributions to ship a modified Clang. > > Whoever does this will need to remember that kernel modifications need > to work with: > > * Clang with the extensions > > * Clang without the extensions (in case the extensions are Clang > version dependent, and the system has a Clang which is too old). > > * Gcc without the extensions > > We've been doing that sort of thing already, using CPP magic, so there > are plenty of examples about ways of doing that. > > - Ted -- Boris Lukashev Systems Architect Semper Victus
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.