Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/compile: add control flow integrity options #35940

Closed
wasker opened this issue Dec 2, 2019 · 3 comments
Closed

cmd/compile: add control flow integrity options #35940

wasker opened this issue Dec 2, 2019 · 3 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone

Comments

@wasker
Copy link

wasker commented Dec 2, 2019

A lot of tooling produced with golang is used in very security sensitive environments and consumers of such products rely on underlying platform features for preventing exploits in environments like that.

Windows 8+ supports executable hardening with Control Flow Guard feature. That'd be great if golang compiler and linker would add support for this feature in the future.

Additional keywords: IMAGE_DLLCHARACTERISTICS_GUARD_CF, CFG.

@wasker wasker changed the title Make use of Control Flow Guard feature on Windows proposal: Make use of Control Flow Guard feature on Windows Dec 2, 2019
@gopherbot gopherbot added this to the Proposal milestone Dec 2, 2019
@ianlancetaylor
Copy link
Contributor

Note that this idea is not Windows specific. The clang compiler offers a similar feature with the -fsanitize=cfi option: http://clang.llvm.org/docs/ControlFlowIntegrity.html.

Note also that this primarily protects against buffer overflows or use-after-free errors, but that these memory errors are already impossible in Go. It's not clear that this optimization is really worth implementing in the Go compiler. What sort of attacks do you think it would prevent?

@ianlancetaylor ianlancetaylor changed the title proposal: Make use of Control Flow Guard feature on Windows cmd/compile: add control flow integrity options Dec 2, 2019
@ianlancetaylor ianlancetaylor added NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. and removed Proposal labels Dec 2, 2019
@ianlancetaylor ianlancetaylor modified the milestones: Proposal, Unplanned Dec 2, 2019
@wasker
Copy link
Author

wasker commented Dec 3, 2019

Ian, thanks for prompt response!

Unfortunately, I'm out of my depth when it comes to security questions you've raised. Our company's compliance folks raised this issue for Helm binaries that we're using. My investigation of mitigation options brought me to the conclusion that compiler support is missing for enabling CFG.

There's a good chance that you're correct and the attack vectors you're referring to are impossible in Golang, and there's nothing else CFG is useful for. If this is an official triage conclusion of Golang team, this should satisfy compliance folks.

@ianlancetaylor
Copy link
Contributor

Thanks. Since this seems to only prevent against attacks that are Go already prevents, I will close this. But if anybody wants to suggest a reason to implement these security checks in Go, please don't hesitate to speak up.

@golang golang locked and limited conversation to collaborators Dec 2, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Development

No branches or pull requests

3 participants