News: 0001644380

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Fedora 45 Considering x86_64 Shadow Stack Usage By Default

([Fedora] 43 Minutes Ago Shadow Stack)


A change proposal under consideration for Fedora Linux 45 would enable x86_64 [1]Shadow Stack usage by default in the name of better security on modern Intel and AMD systems.

The change proposal is to enable Shadow Stack protection for applications/libraries compiled with GCC, LLVM Clang, or Rustc by default on x86_64. The dynamic linker or startic startup routines will activate Shadow Stack for any process where the binary and shared library dependencies are all built with Shadow Stack support present. Shadow Stacks are hardware-enforced by modern Intel and AMD CPUs to help fend off against Return-Oriented Programming "ROP" style exploits.

The change proposal goes on to elaborate:

"This change enables Shadow Stack protection by default on x86_64 machines that support it on Fedora Linux 45. The dynamic linker, or static startup routines, will activate Shadow Stack for any process whose binary and shared library dependencies are all built with Shadow Stack support, protecting processes by default whenever possible. Shadow Stacks are one of two Control-Flow Enforcement features introduced in Intel CET, alongside Indirect Branch Tracking (IBT), designed to defend against Return-Oriented Programming (ROP) and Jump-Oriented Programming (JOP) attacks by protecting return addresses. This Fedora change only covers enabling Shadow Stack support. Enabling Indirect Branch Tracking by default is not in scope.

This change is backward compatible for the most part: -fcf-protection is a default compile time flag already enabled in redhat-rpm-config for Fedora since 2018 and thus the majority of binaries are already built with the appropriate markup. Thus, after this change is applied, applications whose dependencies carry Shadow Stack markup gain protection transparently while applications that load any non-compliant object at startup continue to run without Shadow Stack protection. The only new failure mode is when a Shadow Stack enabled process attempts to dlopen a non-compliant shared object at runtime, which results in a dlopen error that looks like error: dlopen: /path/to/library.so: rebuild shared object with SHSTK support enabled."

The performance cost of Shadow Stack usage tends to be very miniscule to non-existent while providing better system security. This is also working toward enabling Indirect Branch Tracking "IBT" in a later Fedora Linux release for full Control-flow Enforcement Technology (CET) protection.

More details on the Shadow Stack proposal for Fedora 45 can be found via the [2]Fedora Wiki .



[1] https://www.phoronix.com/search/shadow+stack

[2] https://fedoraproject.org/wiki/Changes/ShadowStack



Strange memories on this nervous night in Las Vegas. Five years later?
Six? It seems like a lifetime, or at least a Main Era -- the kind of peak that
never comes again. San Fransisco in the middle sixties was a very special time
and place to be a part of. Maybe it meant something. Maybe not, in the long
run... There was madness in any direction, at any hour. If not across the
Bay, then up the Golden Gate or down 101 to Los Altos or La Honda... You could
strike sparks anywhere. There was a fantastic universal sense that whatever we
were doing was right, that we were winning...
And that, I think, was the handle -- that sense of inevitable victory
over the forces of Old and Evil. Not in any mean or military sense; we didn't
need that. Our energy would simply prevail. There was no point in fighting
-- on our side or theirs. We had all the momentum; we were riding the crest
of a high and beautiful wave. So now, less than five years later, you can go
up on a steep hill in Las Vegas and look West, and with the right kind of eyes
you can almost ___see the high-water mark -- that place where the wave
finally broke and rolled back.
-- Hunter S. Thompson