Lines Matching +full:well +full:- +full:designed
17 schemes, which are designed to abort the program upon detecting certain forms
22 To enable Clang's available CFI schemes, use the flag ``-fsanitize=cfi``.
23 You can also enable a subset of available :ref:`schemes <cfi-schemes>`.
24 As currently implemented, all schemes rely on link-time optimization (LTO);
25 so it is required to specify ``-flto``, and the linker used must support LTO,
38 The ``-fsanitize=cfi-{vcall,nvcall,derived-cast,unrelated-cast}`` flags
39 require that a ``-fvisibility=`` flag also be specified. This is because the
40 default visibility setting is ``-fvisibility=default``, which would disable
42 to specify ``-fvisibility=hidden``, which enables CFI checks for such classes.
44 Experimental support for :ref:`cross-DSO control flow integrity
45 <cfi-cross-dso>` exists that does not require classes to have hidden LTO
46 visibility. This cross-DSO support has unstable ABI at this time.
50 .. _cfi-schemes:
57 - ``-fsanitize=cfi-cast-strict``: Enables :ref:`strict cast checks
58 <cfi-strictness>`.
59 - ``-fsanitize=cfi-derived-cast``: Base-to-derived cast to the wrong
61 - ``-fsanitize=cfi-unrelated-cast``: Cast from ``void*`` or another
63 - ``-fsanitize=cfi-nvcall``: Non-virtual call via an object whose vptr is of
65 - ``-fsanitize=cfi-vcall``: Virtual call via an object whose vptr is of the
67 - ``-fsanitize=cfi-icall``: Indirect call of a function with wrong dynamic
69 - ``-fsanitize=cfi-mfcall``: Indirect call via a member function pointer with
72 You can use ``-fsanitize=cfi`` to enable all the schemes and use
73 ``-fno-sanitize`` flag to narrow down the set of schemes as desired.
75 ``-fsanitize=cfi -fno-sanitize=cfi-nvcall,cfi-icall``
76 to use all schemes except for non-virtual member function call and indirect call
79 Remember that you have to provide ``-flto`` or ``-flto=thin`` if at
86 flow integrity violation. You can use the :ref:`-fno-sanitize-trap=
87 <controlling-code-generation>` flag to cause CFI to print a diagnostic
90 .. code-block:: console
92 …bad-cast.cpp:109:7: runtime error: control flow integrity check for type 'B' failed during base-to…
98 execution instead of aborting by using the :ref:`-fsanitize-recover=
99 <controlling-code-generation>` flag.
101 Forward-Edge CFI for Virtual Calls
107 This CFI scheme can be enabled on its own using ``-fsanitize=cfi-vcall``.
111 of :ref:`ignored <cfi-ignorelist>` types or types with public :doc:`LTO
112 visibility <LTOVisibility>`, must be compiled with ``-flto`` or ``-flto=thin``
116 -----------
121 virtual-call-heavy SPEC 2006 xalancbmk.
140 ``-fsanitize=cfi-derived-cast``), and bad casts from a pointer of
142 ``-fsanitize=cfi-unrelated-cast``).
146 in itself undefined behavior (it is well defined to cast the pointer back
154 functions may be :ref:`ignored <cfi-ignorelist>`.
158 of :ref:`ignored <cfi-ignorelist>` types or types with public :doc:`LTO
159 visibility <LTOVisibility>`, must be compiled with ``-flto`` or ``-flto=thin``
162 Non-Virtual Member Function Call Checking
165 This scheme checks that non-virtual calls take place using an object of
170 ``-fsanitize=cfi-nvcall``.
174 of :ref:`ignored <cfi-ignorelist>` types or types with public :doc:`LTO
175 visibility <LTOVisibility>`, must be compiled with ``-flto`` or ``-flto=thin``
178 .. _cfi-strictness:
181 ----------
183 If a class has a single non-virtual base and does not introduce or override
193 default. It can be disabled with ``-fsanitize=cfi-cast-strict``.
201 using ``-fsanitize=cfi-icall``.
204 than calls in :ref:`ignored <cfi-ignorelist>` functions, must call a
205 function which was either compiled with ``-fsanitize=cfi-icall`` enabled,
207 ``-fsanitize=cfi-icall``.
209 If a function in a translation unit compiled with ``-fsanitize=cfi-icall``
210 takes the address of a function not compiled with ``-fsanitize=cfi-icall``,
212 unit not compiled with ``-fsanitize=cfi-icall``. This is technically a
215 Each translation unit compiled with ``-fsanitize=cfi-icall`` must be
218 ``-fsanitize=cfi-icall``.
223 ``-fsanitize-cfi-icall-generalize-pointers``
224 --------------------------------------------
226 Mismatched pointer types are a common cause of cfi-icall check failures.
227 Translation units compiled with the ``-fsanitize-cfi-icall-generalize-pointers``
229 applied across all functions compiled with ``-fsanitize=cfi-icall``.
236 ``-fsanitize-cfi-icall-generalize-pointers`` is not compatible with
237 ``-fsanitize-cfi-cross-dso``.
239 .. _cfi-canonical-jump-tables:
241 ``-fsanitize-cfi-canonical-jump-tables``
242 ----------------------------------------
245 the address of each CFI-checked function in the output file's symbol table
248 was not compiled with ``-fsanitize=cfi-icall`` to take a CFI-valid address
250 relevant for users of cross-DSO CFI:
252 - There is a performance and code size overhead associated with each
255 function is never address-taken anywhere in the program, and must be used
258 - There is no good way to take a CFI-valid address of a function written in
260 generator would need to insert a jump table in order to form a CFI-valid
263 possible with LTO in the intra-DSO case, but in the cross-DSO case the only
269 For these reasons, we provide the option of making the jump table non-canonical
270 with the flag ``-fno-sanitize-cfi-canonical-jump-tables``. When the jump
271 table is made non-canonical, symbol table entries point directly to the
277 especially in cross-DSO mode which normally preserves function address
281 ``-fsanitize=cfi-icall`` to take a function address that is valid
283 is taken by assembly code and then called by CFI-checking C code. The
288 ``-fsanitize=cfi-icall`` and ``-fsanitize=function``
289 ----------------------------------------------------
291 This tool is similar to ``-fsanitize=function`` in that both tools check
293 on the design space; ``-fsanitize=function`` is a developer tool designed
294 to find bugs in local development builds, whereas ``-fsanitize=cfi-icall``
295 is a security hardening mechanism designed to be deployed in release builds.
297 ``-fsanitize=function`` has a higher space and time overhead due to a more
298 complex type check at indirect call sites, as well as a need for run-time
300 of the need for RTTI, ``-fsanitize=function`` can only be used with C++
301 programs, whereas ``-fsanitize=cfi-icall`` can protect both C and C++ programs.
303 On the other hand, ``-fsanitize=function`` conforms more closely with the C++
311 ``-fsanitize=kcfi``
312 -------------------
314 This is an alternative indirect call control-flow integrity scheme designed
315 for low-level system software, such as operating system kernels. Unlike
316 ``-fsanitize=cfi-icall``, it doesn't require ``-flto``, won't result in
318 cross-DSO function address equality. These properties make KCFI easier to
319 adopt in low-level software. KCFI is limited to checking only function
320 pointers, and isn't compatible with executable-only memory.
331 ``-fsanitize=cfi-mfcall``.
337 recommended to also pass the flag ``-fcomplete-member-pointers``, which
338 enables a non-conforming language extension that requires member pointer
343 of :ref:`ignored <cfi-ignorelist>` types or types with public :doc:`LTO
344 visibility <LTOVisibility>`, must be compiled with ``-flto`` or ``-flto=thin``
347 This scheme is currently not compatible with cross-DSO CFI or the
350 .. _cfi-ignorelist:
360 .. code-block:: bash
370 [cfi-unrelated-cast]
373 [cfi-vcall|cfi-nvcall|cfi-icall]
377 .. _cfi-cross-dso:
382 Use **-f[no-]sanitize-cfi-cross-dso** to enable the cross-DSO control
385 built with ``-flto`` or ``-flto=thin``.
388 visibility. With this flag enabled, the compiler will emit cross-DSO CFI
400 `Control-Flow Integrity: Principles, Implementations, and Applications <https://research.microsoft.…
403 `Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM <http://www.pcc.me.uk/~peter/acad/usen…