Ubuntu 19.10 To Harden Its Compiler With Stack Clash Protection & Intel CET

Written by Michael Larabel in Ubuntu on 19 June 2019 at 06:37 AM EDT. Add A Comment
In addition to discontinuing i386 support, Canonical announced another change being worked on for Ubuntu 19.10 is compiler hardening.

In the name of increased security, their GCC 9 compiler for Ubuntu 19.10 will have some additional tunables enabled: -fstack-clash-protection and -fcf-protection.

The stack clash protection is designed to fend off stack clash attacks by checking pages at allocation-time that instead would result in ideally just a segmentation fault.

The CF-Protection flag is for enabling Intel Control-Flow Enforcement Technology. Intel CET fends off ROP and COP/JOP style attacks thanks to indirect branch tracking and making use of a shadow stack. The Linux CET support came together over the past year though only works with the newest of Intel CPUs while for older CPUs it's treated as a no-op.

Confirmation of flipping on these new GCC hardening flags by default and other details can be found via this mailing list post.

Ubuntu 19.10 will be shipping with the new GCC 9 compiler release as well as newest Glibc and other components with this being the cycle prior to Ubuntu 20.04 LTS.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week