OpenBSD Journal

Mandatory enforcement of indirect branch targets

Contributed by rueda on from the targeted-protection dept.

Theo de Raadt (deraadt@) has updated innovations.html to include an item regarding the work which has been done to enforce indirect branch target restriction (on the amd64 [Intel] and arm64 platforms).

The commit message provides some detail:

CVSROOT:	/cvs
Module name:	www
Changes by:	deraadt@cvs.openbsd.org	2023/07/13 08:02:00

Modified files:
	.              : innovations.html 

Log message:
Over the last 6 months we've worked on adding arm64 BTI & Intel IBT support
in the kernels and all userland binaries.  We have been fixing all the
applications along the way. Many developers were involved.
There is an innovative and substantial difference in our approach compared
to how Linux is doing it:
- On OpenBSD, IBT/BTI enforcement is on by default (meaning mandatory),
unless a binary is linked to request opt-out (using -Wl,-z,nobtcfi). After all
our fixes, very few application binaries need that, and that count is expected
to shrink quickly as we (or upstreams) fix the outstanding issues.
- On Linux they are rehashing the same design as their executable-stack mechanism:
if a single .o file in a resulting binary isn't marked as IBT/BTI enforcement,
the system will (silently) execute the program without enforcement and noone
knows this is happening.  So for an issue from around 2001, today Linux binaries
with executable stack exist and work unsafely.  I expect that 20 years from
now Linux binaries without IBT/BTI enforcement will also exist and work unsafely..

For a little background information, see ARM Inc's Reference documentation.

The main commits that enabled the protection were this and this, after extensive testing in snapshots that turned up various problems that needed fixing in developer tools as well as several different applications.

(Comments are closed)


Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]