Please update CFI_CLANG with kCFI Updates for Forward & Backward Edge

a13xp0p0v / linux-kernel-defence-map

Linux Kernel Defence Map shows the relationships between vulnerability classes, exploitation techniques, bug detection mechanisms, and defence technologies

GNU General Public License v3.0

1.75k stars 123 forks source link

Please update CFI_CLANG with kCFI Updates for Forward & Backward Edge #10

Closed wryMitts closed 4 months ago

wryMitts commented 4 months ago

kCFI was merged (6.1 ?) and is now used by default when selecting CFI CLANG

https://lwn.net/Articles/893164/

It is fine grained forward and backward edge:

Page 2:

As a step towards practical and effective kernel-level control-flow integrity for commodity operating systems, in this paper we present kCFI, a fine-grained CFI scheme for the Linux kernel. The proposed approach combines the benefits of a tag-based, fine-grained CFI policy enforcement for both forward and backward edges which offers increased protection compared to coarse-grained CFI,

https://www.blackhat.com/docs/asia-17/materials/asia-17-Moreira-Drop-The-Rop-Fine-Grained-Control-Flow-Integrity-For-The-Linux-Kernel-wp.pdf

a13xp0p0v commented 4 months ago

@wryMitts, thanks for creating this issue.

Please see the commit https://github.com/a13xp0p0v/linux-kernel-defence-map/commit/05916b0d9994f0df60ab0b2556047ee1070d1978.

ARM64: CFI_CLANG is renamed to CFI_CLANG (KCFI).

ARM64 is removed from the name because this feature is supported both for X86_64 and ARM64.

As the documentation says, "KCFI is a proposed forward-edge control-flow integrity scheme for Clang", so I didn't add the link to the "Backward-edge CFI" node.

wryMitts commented 4 months ago

After extended review, looks like there is two implementations with the name kCFI, one merged, other never made it into the kernel. Made by two different people. That seems to be why documentation was confusing. My mistake