airbus-seclab / c-compiler-security

Security-related flags and options for C compilers
https://airbus-seclab.github.io/c-compiler-security/
Creative Commons Attribution Share Alike 4.0 International
184 stars 16 forks source link

Control Flow Integrity and Shadow Stack? #23

Open hiowaguy opened 1 year ago

hiowaguy commented 1 year ago

Currently, for the GCC 12 and Clang 11 TL;DR, I don't see the control flow integrity flag mentioned on the detailed page... is this because it is Intel specific? -fcf-protection=full

In some other references, I see recommendations to enable the following flag for Intel x86 as well: -mshstk

trou commented 1 year ago

Hello, I was not fully sure of the impact and limitations of CFI so I chose not to add it directly on the tl;dr.

-mshstk is confusing:

mshstk
Target Mask(ISA_SHSTK) Var(ix86_isa_flags) Save
Enable shadow stack built-in functions from Control-flow Enforcement
Technology (CET).