The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers.
Splitting this off from Dominik Czarnota's extensive feedback in #330.
The -mmitigate-rop option was introduced around GCC 6 and later deprecated in 2018 in favor of control-flow protection.
The idea behind -mmitigate-rop was to avoiding certain opcodes that may inadvertently encode a return instruction in the instruction stream. It did it using two strategies: renaming entire chains of registers, or inserting extra register to register copies if there a free scratch register is available.
Overall benefit of -mmitigare-rop was weak and control-flow protection in modern compilers and hardware offer better (but not complete) protection.
thomasnyman
commented
1 week ago
Splitting this off from Dominik Czarnota's extensive feedback in #330.
The
-mmitigate-ropoption was introduced around GCC 6 and later deprecated in 2018 in favor of control-flow protection.The idea behind
-mmitigate-ropwas to avoiding certain opcodes that may inadvertently encode a return instruction in the instruction stream. It did it using two strategies: renaming entire chains of registers, or inserting extra register to register copies if there a free scratch register is available.Overall benefit of
-mmitigare-ropwas weak and control-flow protection in modern compilers and hardware offer better (but not complete) protection.Resources: