Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Better security features for one. Clang supports SafeStack and Control Flow Integrity. SafeStack is much more performant than gcc's stack protectors, and gcc offers no equivalent of CFI.


So, I'm not familiar with all of the CFI protections available in clang, but is full CFI actually implemented in CLANG?

Especially with C/C++, there are a lot of potential attack vectors that would need to be closed (stack smashing, ROP, Vtable corruption). From a laymans perspective, some of these need full memory corruption protection.

Any references would be appreciated. The last time I had to adress CFI in C, static analysis (with greater precision than CLANG had) was involved.


Clang's CFI implementation is documented here: http://clang.llvm.org/docs/ControlFlowIntegrity.html

It's not a full CFI, but my understanding is that it does completely prevent vtable corruption with ~5% overhead (measured for Chromium).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: