Clang 15 Lands Support To Randomize Structure Layout, Linux Prepares To Use It
In matching behavior already provided by the GCC compiler, LLVM/Clang has landed "RandStruct" functionality to allow optionally randomizing the structure layout for C code.
The Clang RandStruct support is implemented similarly to GCC and intended as compile-time hardening to make it harder for attackers to retrieve data from program structures. The support can be enabled via the "-frandomize-layout-seed=" or "-frandomize-layout-seed-file=" options for providing the deterministic random seed for allowing reproducible builds.
The patch was merged last week into what will be LLVM/Clang 15 this autumn.
Meanwhile Google's Kees Cook has prepared for-next/randstruct with the Linux kernel RandStruct integration to be extended to also work with the Clang compiler. To now the Linux kernel's RandStruct support has obviously just worked with the GCC compiler for randomizing the Linux kernel's sensitive structures in the name of greater security. Look for this Clang support in for-next/randstruct to land with the Linux 5.19 kernel this summer.
Making use of the Linux kernel's RandStruct hardening can induce some performance impact but there is also a build-time tunable for trying to limit the randomization of the structure layout to cache line sized groups of members to lessen that performance cost albeit with reduced randomization.