Open douglasism opened 4 years ago
achamayou
commented
4 years ago @douglasism thanks for raising this, it does look very interesting. Unfortunately it's also not (yet) available in a clang release, only in development versions, so I'll look at enabling it optionally in cmake.
achamayou
commented
4 years ago Update: some CFI checks are available in clang-9, and we will upgrade as soon as it is possible to do so, which is as soon as Open Enclave releases with an upgraded and compatible libcxx.
achamayou
commented
3 years ago We expect OpenEnclave 0.16 to include a libcxx compatible with clang-10, enabling us to upgrade and enable control flow guard.
Description This is related to https://github.com/openenclave/openenclave/issues/2278.
For defense-in-depth, CCF should be built with control flow integrity enabled. (Also referred to as Control Flow Guard.)
This option causes the compiler to analyze control flow for indirect call targets at compile-time, and then to insert code to verify the targets at runtime.
Doing so may affect performance. The compiler switch should be on globally, and, if necessary, locally turned off for certain code blocks.
Reference https://clang.llvm.org/docs/ControlFlowIntegrity.html
https://docs.microsoft.com/en-us/cpp/build/reference/guard-enable-control-flow-guard?view=vs-2019