[cfe-dev] How clang compares with gcc on security hardening ?

via cfe-dev cfe-dev at lists.llvm.org
Tue Feb 19 13:47:46 PST 2019


TL;DR: I think "lags significantly" is overstating the case.  The only feature I can identify that Clang doesn't have (wrt the things brought up in that Fedora post) is a real `-fstack-clash-protection` implementation.

I read through that post a couple of times looking for a list, and eventually noticed a reference to
https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/master/f/buildflags.md
which is probably as close to an actual list of security options as we're going to get (it talks about many different options and doesn't explicitly call out those that are security-related).  Between that reference and other comments in the Fedora issue, the list is probably something like this:

-fstack-protector-strong
Clang has this.

-fcf-protection
Clang has this.

-D_FORTIFY_SOURCE=2
AFAICT, Clang supports what is needed by this.
Being a preprocessor symbol, this is mostly about glibc changes to support protections on various unsafe library calls; those in turn depend on a pile of builtins, which are likely the ones implemented in this GCC patch:
https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
I see a bunch of builtins with these sorts of names in Clang, so if nobody has filed bugs, I suspect this should all work (when using glibc).

-fstack-clash-protection
Clang does not recognize this option. Curiously I see two patches to add it, neither of them has been committed. I think there's a reasonable argument that a key security option should not be recognized and ignored.
FTR, the `buildflags.md` documentation says this keeps large stack allocations from skipping over a check of the guard page.

@Sylvestre do you want to file a bug requesting this option?

--paulr

From: cfe-dev [mailto:cfe-dev-bounces at lists.llvm.org] On Behalf Of Sylvestre Ledru via cfe-dev
Sent: Tuesday, February 19, 2019 2:43 PM
To: clang Development List
Subject: [cfe-dev] How clang compares with gcc on security hardening ?


Hello,

Looking at a Fedora thread ( https://pagure.io/fesco/issue/2020 ) about changing the compiler from gcc to clang to build Firefox,
I noticed the following statement:

"Clang lags significantly behind GCC on security hardening"

Some of the arguments or missing features are discussed here:

https://pagure.io/fesco/issue/2020#comment-546825 and other answers
https://pagure.io/fesco/issue/2020#comment-545776

I am wondering if these statements are accurate and if they are enough of a worry?

Thanks,
Sylvestre


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20190219/ad675340/attachment.html>


More information about the cfe-dev mailing list