Progress on Bounds Checking in C and the Linux Kernel

Progress on Bounds Checking in C and the Linux Kernel

[Kees Cook]

Hi!

I just wanted to share links to the presentation Gustavo and I gave at
last week's Linux Security Summit. Repeating the abstract here, just so
you don't have to click through if you don't want to:


Linux, like all C code, regularly suffers from heap buffer overflow
flaws. Especially frustrating is that the compiler usually has enough
context to have been able to stop the overflow but has been hampered by
needing to support legacy coding styles, ambiguous language definitions,
and fragile APIs. This has forced the compiler to frequently ignore the
intent of programmers in an effort to support sloppy code patterns that
may not exist in a project at all.

The history of the C language specification's "flex array member" (FAM)
is long and twisty, and technical debt exists due to ambiguous
implementations. With the introduction of -fstrict-flex-arrays, C can
now unambiguously declare array sizes. In the kernel we can build on
this, by transforming trailing zero-length and one-element arrays into
modern C99 FAMs, adding the use of __builtin_dynamic_object_size(),
applying it to defenses like FORTIFY_SOURCE, and expanding where the
compiler can use this knowledge internally for improving existing
sanitizers. Finally, adding a new struct member attribute, we can expand
object size tracking to cover all array types, freeing Linux from this
persistent class of buffer overflows flaws.


Summary: https://lssna2023.sched.com/event/34dfdb61ccf86035c031b5bf2173765a
Slides:  https://outflux.net/slides/2023/lss-na/bounds-checking.pdf

I haven't seen any video published yet, but if that shows up soon, I'll
reply to this thread with a link.

Enjoy! :)

-Kees

-- 
Kees Cook

Re: Progress on Bounds Checking in C and the Linux Kernel

[Gustavo A. R. Silva]

On Tue, May 16, 2023 at 01:29:28PM -0700, Kees Cook wrote:
> Hi!
> 
> I just wanted to share links to the presentation Gustavo and I gave at
> last week's Linux Security Summit. Repeating the abstract here, just so
> you don't have to click through if you don't want to:
> 
> 
> Linux, like all C code, regularly suffers from heap buffer overflow
> flaws. Especially frustrating is that the compiler usually has enough
> context to have been able to stop the overflow but has been hampered by
> needing to support legacy coding styles, ambiguous language definitions,
> and fragile APIs. This has forced the compiler to frequently ignore the
> intent of programmers in an effort to support sloppy code patterns that
> may not exist in a project at all.
> 
> The history of the C language specification's "flex array member" (FAM)
> is long and twisty, and technical debt exists due to ambiguous
> implementations. With the introduction of -fstrict-flex-arrays, C can
> now unambiguously declare array sizes. In the kernel we can build on
> this, by transforming trailing zero-length and one-element arrays into
> modern C99 FAMs, adding the use of __builtin_dynamic_object_size(),
> applying it to defenses like FORTIFY_SOURCE, and expanding where the
> compiler can use this knowledge internally for improving existing
> sanitizers. Finally, adding a new struct member attribute, we can expand
> object size tracking to cover all array types, freeing Linux from this
> persistent class of buffer overflows flaws.
> 
> 
> Summary: https://lssna2023.sched.com/event/34dfdb61ccf86035c031b5bf2173765a
> Slides:  https://outflux.net/slides/2023/lss-na/bounds-checking.pdf
> 
> I haven't seen any video published yet, but if that shows up soon, I'll
> reply to this thread with a link.

The video is finally out: https://www.youtube.com/watch?v=V2kzptQG5_A

Thanks
--
Gustavo