You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Enclave writers should set the compiler options such that by default
enclaves are built with standard defense in-depth mechanisms available on a given platform.
Regarding stack buffer overflow protection, developers must be aware that the commonly used
compiler options only provide protection when the buffer meets certain criteria.
...
The enclave writer must evaluate whether this security check
should be enabled in enclave functions that would remain unprotected otherwise (enclave
interface functions, for instance) and apply more strict checking options
...
Similary, the Intel® Compiler for Linux* supports –fstack-protector and –fstack-protector-all but does not support –fstack-protector-strong or –fstackprotector-explicit. GNU compiler supports options –fstack-protector-strong and –fstack-protector-explicit in version 4.9.2
I'm trying to understand if there is a way to get stack protectors like this in rust.
I understand that there has been a lot of work creating "userspace" stackguard, and based on looking at historical issues and PRs, a lot of this work was done by @cuviper ?
What if anything are, in Intel's words, the "compiler options such that ... are built with standard defense in-depth mechanisms available on a given platform"? Is there now anything like –fstack-protector in rustc? In nightly rustc?
(In rustc 1.41-C --help I can see no-stack-check is deprecated and now does nothing)
(I looked for a while in current docu, sorry if I missed it)
Or is that simply "not available on our platform", particularly, in a no_std build?
Are there any other relevant techniques or best practices in rust around stack guards manually inserted in code, or stack canaries / stack protection inserted by the compiler?
The text was updated successfully, but these errors were encountered:
Found this old post from a long time ago: https://github.com/mobilecoinofficial/scratchpad/pull/16/files
I don't think we ever figured out what to do about this
I found this link just now, maybe this is resolved? https://doc.rust-lang.org/beta/rustc/exploit-mitigations.html#stack-clashing-protection
Intel wrote an enclave writer's guide, in section 10, page 30, they mention:
There is an old github issue that mentions this: rust-lang/rust#15179
There was a more recent stackoverflow question along these lines: https://stackoverflow.com/questions/48547475/how-to-add-stack-canaries-to-rust-executables?rq=1
I understand that there has been a lot of work creating "userspace" stackguard, and based on looking at historical issues and PRs, a lot of this work was done by @cuviper ?
rust-lang/rust#47912
rust-lang/rust#43052
rust-lang/rust#47863
There's also an internals discussion that seems relevant: https://internals.rust-lang.org/t/getting-rid-of-stack-guard-handling-an-alternative-way-to-detect-stack-overflow/9040
One issue particularly relevant to me is that, we chose to build our enclaves in a
no_stdenvironment -- the rationale for that is explained here: https://github.com/mobilecoinofficial/mobilecoin/tree/master/sgxSo we likely cannot directly use the
libstdstack guard, but we might be able to port it or something, if it is indeed a thing we should be using.There are some other core intrinsics that seem possibly relevant(?): https://docs.rs/compiler_builtins/0.1.27/compiler_builtins/probestack/index.html
My questions:
–fstack-protectorin rustc? In nightly rustc?(In rustc 1.41
-C --helpI can seeno-stack-checkis deprecated and now does nothing)(I looked for a while in current docu, sorry if I missed it)
Or is that simply "not available on our platform", particularly, in a
no_stdbuild?The text was updated successfully, but these errors were encountered: