For a simple piece of C code I wanted to setup to run a simple test with all the fancy sanitizing and bug finding tools gcc/clang provide. This seems like exactly the thing you want to do with a CI, yet it was surprisingly challenging. Thread.
Conversation
Replying to
yes. it can find things like function declarations that aren't quite right, see blog.fuzzing-project.org/57-Diving-into also pretty much every chrome security advisory says they found issues with cfi, I believe it's often type confusion stuff.
1
1
1
Replying to
Interesting! I was thinking about runtime checks / sanitizing. Sounds like CFI ramps up compiler and linker warnings or introduces additional checks? Did you try if -Wextra, -Wall, -Wpedantic combined with Werror find these bugs as well?
2
Clang CFI provides runtime checks for indirect calls via function pointers, C++ method pointers or C++ virtual methods. It verifies that the type used by the caller matches the callee. Only functions identified as potentially called indirectly are allowed to be called indirectly.
1
1
It also expands the runtime cast checks for C++. It uses link-time analysis, which is essentially whole program analysis but per executable / shared object. Cross-DSO CFI is supported but compiling as a single executable provides more precision and avoids the cross-DSO slow path.
Here's a nice example where function addresses are taken in assembly so the compiler doesn't see them and prevents indirect calls to these functions when it can perform whole program analysis due to LTO with !CONFIG_MODULES:
github.com/GrapheneOS/ker
1
AOSP uses CFI (and ShadowCallStack) for the Linux kernel on the Pixel 3 / 3 XL / 3a / 3a XL / 4 / 4 XL but it uses dynamic modules to reuse the kernel across multiple devices and improve boot time via async loading. Using !CONFIG_MODULES in GrapheneOS improves the CFI precision.
1
Show replies