Introducing SafeStack

We are excited to announce SafeStack in HardenedBSD base, along with the availability of SafeStack in ports! SafeStack is part of the Code Pointer Integrity (CPI) project within clang. For those running HardenedBSD 12-CURRENT (the hardened/current/master branch) on amd64, you can enjoy the benefits of SafeStack. Simply sync your source tree and rebuild world (you'll likely want to rebuild kernel to match world, of course). SafeStack is enabled by default for amd64 only. It is not ready for other architectures (like aarch64). Additionally, SafeStack is only applicable to applications, not shared objects.

Since SafeStack is still in early stages of development, we will not be enabling SafeStack globally for ports like we do with PIE and RELRO+BIND_NOW. Instead, we will add a flag to commonly-used ports entries that will tell our ports hardening framework to use SafeStack for that port. Users always have the option to opt-in or out a port via the config.

As the lld project becomes more mature, we'll make sure to test other CPI features. We hope to incorporate more CPI features in the future.

UPDATE 28 November 2016 - More Info:
Not many people may know what SafeStack is. Below is more information.

SafeStack is an exploit mitigation technique that creates two stacks: one for data that needs to be kept safe, such as return addresses and function pointers; and an unsafe stack for everything else. SafeStack promises a low performance penalty (typically around 0.1%).

SafeStack requires both ASLR and W^X in order to be effective. With HardenedBSD satisfying both of those prerequisites, SafeStack was deemed to be an excellent candidate for default inclusion in HardenedBSD. Starting with HardenedBSD 12-CURRENT, it is enabled by default for amd64. Support for non-amd64 architectures is limited by upstream clang.

As of 28 November 2016, with clang 3.9.0, SafeStack only supports being applied to applications and not shared libraries. Multiple patches have been submitted to clang by third parties to add support for shared libraries. As such, SafeStack is still undergoing active development.

SafeStack has been made available to the HardenedBSD ports tree as well. Unlike PIE and RELRO+BIND_NOW, it is not enabled globally for the ports tree. Some ports, like ports-mgmt/pkg have SafeStack enabled by default. Only those ports that have been tested to work fine will have SafeStack enabled by default. Users are able to toggle SafeStack by using the config target. Additionally, the SafeStack option is only applicable to amd64 architectures. Attempting to enable SafeStack for a non-amd64 port build will result in a NO-OP. SafeStack will simply not be applied.

Here's some good weekend reading for you if you'd like more info about SafeStack and CFI/CPI in general:

  1. SafeStack - Clang documentation
  2. Fine-Grained Control-Flow Integrity through Binary Hardening (PDF)
  3. Control-Flow Bending: On the Effectiveness of Control-Flow Integrity (PDF
  4. Code-Pointer Integrity (PDF)