[tor-bugs] #20361 [Applications/Tor Browser]: Investigate CFI means for usage in Tor Browser

[Tor Bug Tracker & Wiki]

#20361: Investigate CFI means for usage in Tor Browser
----------------------------------------+--------------------------
 Reporter:  gk                          |          Owner:  tbb-team
     Type:  task                        |         Status:  new
 Priority:  Medium                      |      Milestone:
Component:  Applications/Tor Browser    |        Version:
 Severity:  Normal                      |     Resolution:
 Keywords:  tbb-security, tbb-hardened  |  Actual Points:
Parent ID:                              |         Points:
 Reviewer:                              |        Sponsor:
----------------------------------------+--------------------------

Comment (by cypherpunks):

 It's important to understand that Clang CFI requires LTO support, which
 itself is a security issue, making latent undefined behavior exploitable.
 UBSan only catches a small subset of these, so the issues caused by full
 LTO support are not mitigated by the sanitizer. However, it can be
 mitigated by setting the O2 optimization for the compiler, but only O1 for
 the linker. This disables the unsafe LTO optimizations which the linker
 would otherwise use, while still being sufficient for CFI to function.
 Keeping the compiler at O2 will ensure that there won't be performance
 hits.

 It would be possible to modify the compiler itself or provide it with a
 plugin to change the order of various passes, which would have the same
 effect. I believe the private PaX RAP plugin does this.

 This is information I found out from multiple IRC discussions and looking
 into the workings of Clang CFI. If necessary, I can post the relevant
 logs.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20361#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online