cmd/asm,cmd/compile: add support for control flow integrity #66054
Labels
compiler/runtime
Issues related to the Go compiler and/or runtime.
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Modern CPUs provide support for branch tracking control flow integrity (BTCFI) in the form of Intel's Indirect Branch Tracking (IBT) and AARCH64's Branch Tracking Identification (BTI). BTCFI helps to mitigate flow control based exploits, such as those achieved via Return Oriented Programming (ROP).
Some operating systems (for example, OpenBSD 7.4 onwards) are starting to enforce IBT and BTI on hardware where it is available (Intel Tigerlake onwards, Apple's M2, etc). Go binaries need to be marked with
PT_OPENBSD_NOBTCFI
in order to allow them to execute. Other operating systems have varying levels of support (Linux enables IBT in the kernel, but not userland AIUI - https://lwn.net/Articles/889475/).Go should ideally support BTCFI - in the IBT/BTI case it is effectively a matter of providing a "landing pad" instruction (
endbr64
onamd64
andbti c
onarm64
), at function entry points and any other locations where control flow is expected to land. On machines that do not support these instructions (or have BTCFI enabled/enforced in userland), they are effectively a no-ops. This does potentially impact code where it is intentional to jump into a function at some offset - for example, duff devices (DUFFCOPY
,DUFFZERO
) and jump tables. This would also need landing pads at each potential entry point, or revisiting/disabling.The text was updated successfully, but these errors were encountered: