Overview
Explore the latest developments in security features for the Linux kernel across GCC and Clang toolchains in this comprehensive conference talk. Dive into the progress made since the previous year, including achievements in parity between toolchains such as -fstrict-flex-arrays=3, -fsanitize=bounds, __builtin_dynamic_object_size(), and arm64 Shadow Call Stack for backward edge CFI. Learn about ongoing efforts, including the __counted_by(member) attribute for bounded Flexible Array Members. Discuss areas that require further work and consideration, such as the -fbounds-safety language extension proposal, handling nested structures with Flexible Array Members in Clang, and language extensions for Flexible Array Members in Unions. Examine challenges in implementing arbitrary stack protector guard locations, Link Time Optimization for kernel support in GCC, forward and backward edge CFI, arithmetic overflow protection, and addressing false positives in -Warray-bounds for GCC. Gain insights into the collaborative efforts to enhance Linux kernel security through toolchain improvements and feature implementations.
Syllabus
Security Features status update - Kees Cook, Qing Zhao, Bill Wendling
Taught by
Linux Plumbers Conference