They give their customers the source code. If they want to publish it they're legally allowed to do it. It's not as helpful as it seems to get a leaked copy of a massive patch, especially when most upstream work is based on Clang and the most interesting pieces are GCC plugins.
Conversation
You could give upstream the latest release of RAP but it wouldn't mean they would understand it and be able to maintain it. It can't simply be merged with no one developing / maintaining it. That is essentially what they did with a few plugins but they're much smaller/simpler.
2
RAP was publicly available including the deterministic hash-based forward and backward edge protection. It doesn't really seem like anyone else learned anything from it. The state of the art elsewhere is the much slower Clang CFI which leaves backward edge CFI to something else.
1
The backward edge protection is SafeStack, which has issues. There's ways around SafeStack and it's in an incomplete state. It doesn't protect shared objects, only application code.
I've done some work in hbsd to get shared object support working, but my priorities keep shifting
1
The shared object support needs tight integration with both the RTLD and libc, in somewhat similar fashion as SSP, but a bit more complex.
If I remember correctly, setjmp/longjmp is still an issue with SafeStack.
1
SafeStack wasn't really meant to be used with Clang CFI. It was meant to be used as part of a broader CPI feature which was never finished or landed.
Android started adopting SafeStack including shared object support. It was dropped and it now uses ShadowCallStack instead.
2
1
SafeStack has serious issues with leaks since it uses the main thread stack as the main safe stack but there are assorted pointers to data libc places in it.
Android uses cross-DSO CFI and ShadowCallStack for both the kernel and userspace. ShadowCallStack is arm64 only though.
2
1
Yeah, that's why we still use SafeStack for applications in HardenedBSD base. Eventually, we'll work on migrating away from SafeStack to something better.
I'm working on Cross-DSO CFI support in HardenedBSD. We'll get there eventually.
2
2
The problem I face with working on Cross-DSO CFI: it requires large chunks of consecutive time sitting in my chair doing R&D. With large responsibilities at ${DAYJOB}, a family, and ${HEALTH_ISSUES}, it's growing more and more difficult for me to make tangible progress.
1
Another problem is that we build over 30,000 packages. Building libc with CFI breaks a freakton of things.
And reading llvm CFI's source, it appears it wasn't really designed to support applying CFI to libc.
2
libc needs to do manual protection for setjmp, assorted function pointers (atexit, at_quick_exit, pthread_atfork, TLS destructors, etc.), the linker, etc. GrapheneOS helped with getting a lot of it landed in Bionic and we apply our own hardening on top but it's hard to maintain.
Bionic makes an attempt to keep a lot of linker data read-only when not loading libraries, has read-only-after-init data in addition to RELRO and partially inherits memory protection for atexit, etc. from OpenBSD. It's really not finished and isn't a consistent approach though.
2
2
For example they didn't extend that memory protection to at_quick_exit, pthread_atfork and TLS destructors so we have to do it downstream. They did a better job with protecting setjmp than glibc and did some other things quite well too. Main issue is not having full CFI coverage.
2