Enables Conditional Compiler Protections

[thanasisk]

The following PR addresses the matter of Compiler Binary Protections. Specifically:

• enables LTO if available. While this is not a protection by itself, it is useful and/or necessary for the protections outlined below.
• enables FORTIFY_SOURCE with a level of 2 - this requires GNU libc to be effective
• enables CFI on clang - CFI requires LTO

[CLAassistant]

All committers have signed the CLA.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[mkindahl]

One comment, will check more tomorrow.

[mkindahl]

Can this ever fail? Since you're just setting the _FORTIFY_SOURCE preprocessor symbol, it should not be possible for this to fail since the flag is always accepted for C compilers.

You probably need to construct a small program that should generate warning, compile it, and set this flag if the program emits a warning. Something like this:

Suggested change

	# if we are building on a GLIBC environment, FORTIFY is available
	check_c_compiler_flag(-D_FORTIFY_SOURCE CC_SUPPORTS_FORTIFY)
	include(CheckCSourceCompiles)
	set(CMAKE_REQUIRED_FLAGS -Werror)
	set(CMAKE_REQUIRED_DEFINITIONS -D_FORTIFY_SOURCE)
	# If this build succeeds, _FORTIFY_SOURCE is not available
	check_c_source_compiles("
	#include <string.h>
	int main() {
	char buffer[8];
	strcpy(buffer, \"hello world\");
	}
	" FORTIFY_NOT_AVAILABLE)

[mkindahl]

Final comments.

[mkindahl]

When using CLang it does not have any -CFI option. I see the following options though:

mats@fury:~$ clang --help | grep cfi
  -fno-sanitize-cfi-canonical-jump-tables
  -fno-sanitize-cfi-cross-dso
  -fsanitize-cfi-canonical-jump-tables
  -fsanitize-cfi-cross-dso
  -fsanitize-cfi-icall-generalize-pointers
  -mlvi-cfi               Enable only control-flow mitigations for Load Value Injection (LVI)
  -mno-lvi-cfi            Disable control-flow mitigations for Load Value Injection (LVI)

[mkindahl]

I think you need the flag -fvisibility=hidden here as well for this to compile. I get an error when trying:

mats@fury:~/lang/cc/examples$ clang -flto -fsanitize=cfi struct.c 
clang: error: invalid argument '-fsanitize=cfi' only allowed with '-fvisibility='
mats@fury:~/lang/cc/examples$ clang -flto -fvisibility=hidden -fsanitize=cfi struct.c 
mats@fury:~/lang/cc/examples$ 

[thanasisk]

@mkindahl which platform you compiled on? Fedora 39/gcc/x86_64 was not able to reproduce

[mkindahl]

I am using Ubuntu 22.04 LTS.

mats@fury:~/lang/cc/examples$ lsb_release --all
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.4 LTS
Release:        22.04
Codename:       jammy
mats@fury:~/lang/cc/examples$ clang --version
Ubuntu clang version 14.0.0-1ubuntu1.1
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin

[mkindahl]

I think you can be pretty sure that if the -fsanitize=cfi works, -flto will work as well, so no need to check this separately unless you want to provide a very specific error message saying what is wrong (and you do not have such a message here).

To enable Clang’s available CFI schemes, use the flag -fsanitize=cfi. You can also enable a subset of available schemes. As currently implemented, all schemes rely on link-time optimization (LTO); so it is required to specify -flto, and the linker used must support LTO, for example via the gold plugin.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.97%. Comparing base (59f50f2) to head (f914add).
Report is 73 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6743      +/-   ##
==========================================
+ Coverage   80.06%   80.97%   +0.90%     
==========================================
  Files         190      191       +1     
  Lines       37181    36422     -759     
  Branches     9450     9463      +13     
==========================================
- Hits        29770    29493     -277     
- Misses       2997     3157     +160     
+ Partials     4414     3772     -642     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[mkindahl]

The "Check CMake Files" check fails for this PR. You probably want to run make format in the build directory to format all CMake files.