Google Posts Latest Code For KCFI As Better Control-Flow Integrity For The Linux Kernel
Google engineer Sami Tolvanen has posted the second "request for comments" patch series on KCFI as a Control-Flow Integrity implementation better geared for Linux kernel usage than the existing CFI support.
Since last year there has been Clang-based CFI support for Linux on AArch64 that is also dependent upon link-time optimizations (LTO) being enabled for the kernel build. Clang's sanitizer-based Control-Flow Integrity provides run-time checks before every indirect function call to ensure the target is a valid function with a valid static type.
Sami Tolvanen describes KCFI as, "a proposed forward-edge control-flow integrity scheme for Clang, which is more suitable for kernel use than the existing CFI scheme used by CONFIG_CFI_CLANG. KCFI doesn't require LTO, doesn't alter function references to point to a jump table, and won't break function address equality."
He went on to add, "KCFI requires assembly functions that are indirectly called from C code to be annotated with type identifiers. As type information is only available in C, the compiler emits expected type identifiers into the symbol table, so they can be referenced from assembly without having to hardcode type hashes...In case of a type mismatch, KCFI always traps. To support error handling, the compiler generates a .kcfi_traps section for x86_64, which contains the locations of each trap, and for arm64, encodes the necessary register information to the ESR."
Besides the Linux kernel patches, there is also a new "KCFI" sanitizer that needs to be upstreamed into the LLVM repository for Clang. There isn't any similar GCC compiler support as of now.
The hope by Google engineers is that KCFI in the Linux kernel could be a replacement to the existing AArch64 CFI support. KCFI mainline support would also handle x86_64 in addition to AArch64.
More details on this latest Control-Flow Integrity work for the Linux kernel can be found via this patch series.
Since last year there has been Clang-based CFI support for Linux on AArch64 that is also dependent upon link-time optimizations (LTO) being enabled for the kernel build. Clang's sanitizer-based Control-Flow Integrity provides run-time checks before every indirect function call to ensure the target is a valid function with a valid static type.
Sami Tolvanen describes KCFI as, "a proposed forward-edge control-flow integrity scheme for Clang, which is more suitable for kernel use than the existing CFI scheme used by CONFIG_CFI_CLANG. KCFI doesn't require LTO, doesn't alter function references to point to a jump table, and won't break function address equality."
He went on to add, "KCFI requires assembly functions that are indirectly called from C code to be annotated with type identifiers. As type information is only available in C, the compiler emits expected type identifiers into the symbol table, so they can be referenced from assembly without having to hardcode type hashes...In case of a type mismatch, KCFI always traps. To support error handling, the compiler generates a .kcfi_traps section for x86_64, which contains the locations of each trap, and for arm64, encodes the necessary register information to the ESR."
Besides the Linux kernel patches, there is also a new "KCFI" sanitizer that needs to be upstreamed into the LLVM repository for Clang. There isn't any similar GCC compiler support as of now.
The hope by Google engineers is that KCFI in the Linux kernel could be a replacement to the existing AArch64 CFI support. KCFI mainline support would also handle x86_64 in addition to AArch64.
More details on this latest Control-Flow Integrity work for the Linux kernel can be found via this patch series.
Add A Comment