Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/asm,cmd/compile: add support for shadow stack #66840

Open
loqs opened this issue Apr 15, 2024 · 6 comments
Open

cmd/asm,cmd/compile: add support for shadow stack #66840

loqs opened this issue Apr 15, 2024 · 6 comments
Labels
compiler/runtime Issues related to the Go compiler and/or runtime. NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Unplanned

Comments

@loqs
Copy link

loqs commented Apr 15, 2024

X86_64 CPUs can support Shadow Stack (SHSTK). SHSTK helps to mitigate against Return Oriented Programming (ROP) expoits, as well as others that target a process's call stack.

On linux binaries need to be marked with a note section .note.gnu.property marking support for GNU_PROPERTY_X86_FEATURE_1_SHSTK in order to support SHSTK. I believe Windows also supports SHSTK but have no knowledge of how.

Go should ideally support SHSTK on Linux and add the note section showing it does support it. Provided Go does not change the stack I believe it should be sufficient for Go to mark the binaries it generates.

#66054 is for the other half of Control-flow Enforcement Technology (CET).
@gopherbot gopherbot added the compiler/runtime Issues related to the Go compiler and/or runtime. label Apr 15, 2024
@cherrymui
Copy link
Member

I'm not sure it is simple. Go runtime switches goroutines by switching stacks (changing the value of SP). When the stack switches, the shadow stack may also need to be switched. If we want to support this, we may need to do something similar to what C setjmp/longjmp does.

@cherrymui cherrymui added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Apr 15, 2024
@cherrymui cherrymui added this to the Unplanned milestone Apr 15, 2024
@loqs
Copy link
Author

loqs commented Apr 15, 2024

@hjl-tools is this of interest to you or you can suggest someone who may be interested in it?

@hjl-tools
Copy link

Just compile the run-time library with -fcf-protection should enable shadow stack if there are no custom context switching functions.

@ianlancetaylor
Copy link
Contributor

@hjl-tools In this case the runtime is written in Go, not C. There is no -fcf-protection option. There are custom context switching functions, written in assembler.

@bjorndm
Copy link

bjorndm commented Apr 16, 2024

SHSTK is a palliative for C and C++ which allow ROP due to their deficient design and allowance for undefined behavior.

If one doesn't use unsafe, then ROP should not be possible in Go. This might negatively affect the performance of Go programs and is another example of how non C programming languages have to pay "C taxes" as it were. This should certainly remain optional.

@cherrymui
Copy link
Member

This should certainly remain optional.

Sure. It should be optional (if we do this).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
compiler/runtime Issues related to the Go compiler and/or runtime. NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Unplanned
Development

No branches or pull requests
6 participants
@hjl-tools @ianlancetaylor @bjorndm @loqs @gopherbot @cherrymui