Contributed by rueda on from the targeted-protection dept.
Theo de Raadt (deraadt@)
has updated
innovations.html
to include an item regarding the work which has been done
to enforce indirect branch target restriction
(on the
amd64
[Intel]
and
arm64
platforms).
The commit message provides some detail:
CVSROOT: /cvs Module name: www Changes by: deraadt@cvs.openbsd.org 2023/07/13 08:02:00 Modified files: . : innovations.html Log message: Over the last 6 months we've worked on adding arm64 BTI & Intel IBT support in the kernels and all userland binaries. We have been fixing all the applications along the way. Many developers were involved.
There is an innovative and substantial difference in our approach compared to how Linux is doing it: - On OpenBSD, IBT/BTI enforcement is on by default (meaning mandatory), unless a binary is linked to request opt-out (using -Wl,-z,nobtcfi). After all our fixes, very few application binaries need that, and that count is expected to shrink quickly as we (or upstreams) fix the outstanding issues. - On Linux they are rehashing the same design as their executable-stack mechanism: if a single .o file in a resulting binary isn't marked as IBT/BTI enforcement, the system will (silently) execute the program without enforcement and noone knows this is happening. So for an issue from around 2001, today Linux binaries with executable stack exist and work unsafely. I expect that 20 years from now Linux binaries without IBT/BTI enforcement will also exist and work unsafely..
For a little background information, see ARM Inc's Reference documentation.
The main commits that enabled the protection were this and this, after extensive testing in snapshots that turned up various problems that needed fixing in developer tools as well as several different applications.
(Comments are closed)