Compiler attributes for improved security #201
Comments
|
The Linux kernel has set up a set of conventions to prevent buffer overwrites in many circumstances, that might be a useful source. We currently have a project for compiler options, but that's a different thing. The issue would be that some people would need to dedicate real time for this. If that can be done, I imagine it could be really helpful. |
|
I don't want to promise (because this is largely going to be free time work for me and it's summer!) but I can take a stab at it at some point. I just wanted to put this issue out here to (1) get a sense for whether this would be interesting for this WG and (2) remind myself of it later whenever I have some free time to tackle it. |
|
Fully supporting this! A new document seems to be a sensible approach in my opinion, although there's potentially some overlap with the existing guide too, e.g. this recent RFC for Clang proposes a combination of option flag + annotations. |
|
@siddhesh - could you take a quick stab at a starting document? I think there's general agreement that this is useful, but probably needs to be a separate document. The big difference, as I understand it, is that this involves changes to the source code itself. Feel free to focus on just C (or just C++); I suspect that it may need to be more specific about the language. I encourage looking at:
|
|
I can't attend tomorrow's call due to a conflict, but I wanted to share that I've started working on this, here's a preview: siddhesh@fc1dce2 I'll send a PR once I do the due diligence, i.e. figure out minimum compiler versions, etc. and write some detail for each of those attributes with notes on their usage. There may be more attributes to add in there, but that could be done incrementally. |
|
Has this been addressed by the C/C++ Compiler Hardening options guide? @gkunz @thomasnyman @david-a-wheeler |
A number of compiler attributes (e.g.
alloc_size,malloc,access,nonnull) provide additional information to the compiler to allow it to (1) detect potentially undefined behaviour and (2) optimize code. These often end up in the win-win category where the compiler is able to improve performance as well as security. I had documented a couple of them in an article in the past in a narrow scope, but there's scope for a more comprehensive document. There are some caveats to their usage though, so it's likely not a matter of simply listing them.Would a new document describing these attributes and how OSS developers could use them with best effect be a useful addition to this project?
The text was updated successfully, but these errors were encountered: