RFC: Memory exploit mitigation #145
Conversation
|
I'm not sure I like the magic integer levels of protection. |
|
What about it specifically? |
|
I would prefer descriptive names rather than integers. |
|
Integer levels symbolize the acceptable cost that varies between platforms for certain measures. I would prefer approximate cost passed as a percentage of slowdown.
|
|
@zwarich: Okay, something like @pczarn: I think users will get annoyed at how rough these approximations are. The actual cost depends a lot on the program you're compiling. |
|
|
||
| The intent is that most users will not use this attribute, and will instead pass the compiler flag `--harden-level <N>`, or `-H` as shorthand for `--harden-level 1`. The meaning of the levels is: | ||
|
|
||
| * `--harden-level 0` — No hardening. We may still incidentally do things that make exploits harder, if they have no undesirable impact. |
There was a problem hiding this comment.
None should be none. If I want to disable any changes to the source from these changes I should be able to.
There was a problem hiding this comment.
I don't really think of it as "changes to the source", since the translation from Rust source to machine code is always very complex. I was more thinking, if there are natural things to do in codegen that would incidentally make exploits harder, we don't need to go out of our way to disable those things at -H0. But I'm not sure what would go in that category, and I do see the appeal of a setting for "make compilation as simple as possible", even if it's still not very simple :)
|
The proposed 0-3 looks similar enough to the well known GCC optimisation levels. None, quick+dont_increase_size, slow+dont_increase_size, maximum. The biggest difference is between the -O2 and -H2 modes, -H2 is closer to -O3 than -O2. Given -O2 is the 'common' optimisation level perhaps it would be better to have something like the following (sorry for the bikeshedding).
I know this adds another level, but it matches much closer to the -O system. I'm not sure -H4 has much use except for experimenting/testing. |
|
You convinced me that levels of hardening are most suitable. Remember that -O4 doesn't exist, it's an alias for -O3. LTO is enabled separately. Let's look for similarities between optimization and protection. Is RELRO sort of a link time hardening? |
|
RELRO makes the GOT read-only after the linker sets up the function pointers, so full RELRO requires using immediate binding. You can use both PIE (for a randomized base) and full RELRO today with |
|
AFAIK PIE is the only reason for using LLVM's |
|
Discussed in https://github.com/rust-lang/meeting-minutes/blob/master/weekly-meetings/2014-08-26.md @kmcallister the feeling right now is that we're kind of uneasy about 'hardening' as an independent concept in Rust, and would basically like to let the requirements bake more. In the meantime, the individual codegen features involved would be considered on their own merits as codegen compiler flags, and don't need RFC's. In other words, let's go ahead and get started on adding the required codegen functionality to the compiler, but not commit to any unifying framework. In the future, we should revisit, and possibly take a more holistic look at how codegen options are managed generally (not just those that relate to hardening). Closing. |
Rendered view.