p...@chromium.org, kra...@chromium.org
The runtime cost is small, less than 1% of CPU. It increases the size of the release Chrome binary by 7%-9%, and it requires an LTO (Link-Time Optimization) build, which slows down the linker by 3x-4x.
Potentially, it could increase the number of crashes of the browser, in case, if there's an existing condition when a bad cast happens, or there's a virtual call to already destroyed object. These are bugs, which must be fixed, and we believe we have reached the stage, where the only open bugs we have are regressions.
--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.
From a infra/resource perspective, the main waterfall/cq trybots doesn't have enough resources to run with CFI on everywhere due to the 3-4x linker slowdown.
On Fri, Oct 9, 2015 at 3:43 PM, Ryan Tseng <hin...@chromium.org> wrote:From a infra/resource perspective, the main waterfall/cq trybots doesn't have enough resources to run with CFI on everywhere due to the 3-4x linker slowdown.It does not have to. We don't plan to enable CFI for dev builds. Only official builds are affected, and that's a small fractions of all buildbots, if I understand correctly.
Hi all,Contact emailsp...@chromium.org, kra...@chromium.org
Summary
Control Flow Integrity (aka CFI) is a set of schemes, which are designed to abort the program upon detecting certain forms of undefined behavior that can potentially allow attackers to subvert the program’s control flow. For example, it includes strict bad casts checking, and virtual calls checking. See more:
CFI is already enabled on a Chromium.FYI buildbot, and on ClusterFuzz. At this moment, Chrome is known to be bad-casts free (minus a very recent regression, which should be fixed today, https://crbug.com/541708).We would like to enable this defense mechanism for the official Chrome build on Linux, as it would make writing exploits a bit harder.
Thank you for sending this intent!On Fri, Oct 9, 2015 at 3:22 PM, Ivan Krasin <kra...@chromium.org> wrote:Hi all,Contact emailsp...@chromium.org, kra...@chromium.org
Summary
Control Flow Integrity (aka CFI) is a set of schemes, which are designed to abort the program upon detecting certain forms of undefined behavior that can potentially allow attackers to subvert the program’s control flow. For example, it includes strict bad casts checking, and virtual calls checking. See more:This says "Note that this scheme has not yet been optimized for binary size; an increase of up to 15% has been observed for Chromium." – is work in that area planned? For linux this isn't a blocker, but if you want to launch this on other platforms that are more sensitive to binary size (Android; probably Windows) the size overhead seems like a potential risk.Since there are other security-related protections that we want to enable that cost binary size (and that are independent of each other in against what they protect form what I understand – e.g. https://code.google.com/p/chromium/issues/detail?id=533294#c9): Are there any guidelines for what the bar for turning on a mitigation technique should be?
CFI is already enabled on a Chromium.FYI buildbot, and on ClusterFuzz. At this moment, Chrome is known to be bad-casts free (minus a very recent regression, which should be fixed today, https://crbug.com/541708).We would like to enable this defense mechanism for the official Chrome build on Linux, as it would make writing exploits a bit harder.Is it possible to quantify "a bit"? Do you have a rough idea what percentage of exploits this affects?(I'm only asking out of curiosity, I don't have concerns about launching this for linux.)
This says "Note that this scheme has not yet been optimized for binary size; an increase of up to 15% has been observed for Chromium." – is work in that area planned? For linux this isn't a blocker, but if you want to launch this on other platforms that are more sensitive to binary size (Android; probably Windows) the size overhead seems like a potential risk.
--
Thank you for sending this intent!On Fri, Oct 9, 2015 at 3:22 PM, Ivan Krasin <kra...@chromium.org> wrote:Hi all,Contact emailsp...@chromium.org, kra...@chromium.org
Summary
Control Flow Integrity (aka CFI) is a set of schemes, which are designed to abort the program upon detecting certain forms of undefined behavior that can potentially allow attackers to subvert the program’s control flow. For example, it includes strict bad casts checking, and virtual calls checking. See more:This says "Note that this scheme has not yet been optimized for binary size; an increase of up to 15% has been observed for Chromium." – is work in that area planned? For linux this isn't a blocker, but if you want to launch this on other platforms that are more sensitive to binary size (Android; probably Windows) the size overhead seems like a potential risk.
Since there are other security-related protections that we want to enable that cost binary size (and that are independent of each other in against what they protect form what I understand – e.g. https://code.google.com/p/chromium/issues/detail?id=533294#c9): Are there any guidelines for what the bar for turning on a mitigation technique should be?CFI is already enabled on a Chromium.FYI buildbot, and on ClusterFuzz. At this moment, Chrome is known to be bad-casts free (minus a very recent regression, which should be fixed today, https://crbug.com/541708).We would like to enable this defense mechanism for the official Chrome build on Linux, as it would make writing exploits a bit harder.Is it possible to quantify "a bit"? Do you have a rough idea what percentage of exploits this affects?(I'm only asking out of curiosity, I don't have concerns about launching this for linux.)