|
| From: | Daniele Buono |
| Subject: | Re: [PATCH 2/2] configure: add support for Control-Flow Integrity |
| Date: | Thu, 2 Jul 2020 11:43:27 -0400 |
| User-agent: | Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0 |
Hey Alex!I agree, in most cases (possibly all of them), a wrong indirect function call will end up with something that is catched by ASan or UBSan. This way, however, you may catch it earlier and it may make debug easier (especially with --enable-cfi-debug which is printing an error with the calling and, most times, the called function).
UBSan does have a similar feature, -fsanitize=function, but unfortunately it works only on C++ code, and therefore is not good in the QEMU case.
And, of course, it will also be used to weed out missing functions in the CFI filter.
On 7/2/2020 9:38 AM, Alexander Bulekov wrote:
Can't wait to try this out! On 200702 1459, Paolo Bonzini wrote:On 02/07/20 14:50, Daniele Buono wrote:I also wonder if this is something that could be put in the fuzzing environment. It would probably also help in finding coding error in corner cases quicker.Yes, fuzzing and tests/docker/test-debug should enable CFI. Also, tests/docker/test-clang should enable LTO. PaoloI believe CFI is most-useful as an active defensive measure. I can't think of many cases where a fuzzer/test could raise a CFI alert that wouldn't also be caught by something like canaries, ASan or UBsan, though maybe I'm missing something. Maybe testing/fuzzing with CFI could be useful to weed out any errors due to e.g. an incomplete cfi-blacklist.txt -Alex
| [Prev in Thread] | Current Thread | [Next in Thread] |