Add option to enable CET Shadow Stack

This experimental build option to mark binaries as compatible with Shadow Stack of Control-flow Enforcement Technology (CET). THe option is not any close to enable in official builds, it's here for convenice of evaluation. As it passes base_unittests and components_unittests. Bug: 1136224 Change-Id: I6fcd61c2e76066b444cc37c88228273838300243 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2454988Reviewed-by: Nico Weber <thakis@chromium.org> Reviewed-by: Alex Gough <ajgo@chromium.org> Commit-Queue: Vitaly Buka <vitalybuka@chromium.org> Cr-Commit-Position: refs/heads/master@{#819145}

Add option to enable CET Shadow Stack
This experimental build option to mark binaries as compatible with Shadow Stack of Control-flow Enforcement Technology (CET). THe option is not any close to enable in official builds, it's here for convenice of evaluation. As it passes base_unittests and components_unittests. Bug: 1136224 Change-Id: I6fcd61c2e76066b444cc37c88228273838300243 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2454988Reviewed-by: Nico Weber <thakis@chromium.org> Reviewed-by: Alex Gough <ajgo@chromium.org> Commit-Queue: Vitaly Buka <vitalybuka@chromium.org> Cr-Commit-Position: refs/heads/master@{#819145}
5987fd43 · Vitaly Buka · Commit Bot · 7447ea3e · 5987fd43 · 5987fd43
Commit 5987fd43 authored Oct 20, 2020 by Vitaly Buka Committed by Commit Bot Oct 20, 2020
6 changed files
--- a/base/BUILD.gn
+++ b/base/BUILD.gn
@@ -3072,6 +3072,10 @@ test("base_unittests") {
      "win/wmi_unittest.cc",
      "win/wrapped_window_proc_unittest.cc",
    ]
+
+    if (enable_cet_shadow_stack) {
+      sources += [ "win/cet_shadow_stack_unittest.cc" ]
+    }
  }

  if (is_linux || is_chromeos) {

--- a/base/win/cet_shadow_stack_unittest.cc
+++ b/base/win/cet_shadow_stack_unittest.cc
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <Windows.h>
+#include <intrin.h>
+
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace base {
+namespace win {
+
+namespace {
+void* return_address;
+
+__attribute__((noinline)) void Bug() {
+  void* pvAddressOfReturnAddress = _AddressOfReturnAddress();
+  if (!return_address)
+    return_address = *(void**)pvAddressOfReturnAddress;
+  else
+    *(void**)pvAddressOfReturnAddress = return_address;
+}
+
+__attribute__((noinline)) void A() {
+  Bug();
+}
+
+__attribute__((noinline)) void B() {
+  Bug();
+}
+
+TEST(CET, ShadowStack) {
+  // TODO(ajgo): Check that it's enabled by OS.
+  A();
+  EXPECT_DEATH(B(), "");
+}
+}  // namespace
+}  // namespace win
+}  // namespace base
--- a/build/config/BUILDCONFIG.gn
+++ b/build/config/BUILDCONFIG.gn
@@ -315,6 +315,7 @@ default_compiler_configs = [
  "//build/config:feature_flags",
  "//build/config/compiler:afdo",
  "//build/config/compiler:afdo_optimize_size",
+  "//build/config/compiler:cet_shadow_stack",
  "//build/config/compiler:compiler",
  "//build/config/compiler:compiler_arm_fpu",
  "//build/config/compiler:compiler_arm_thumb",

--- a/build/config/compiler/BUILD.gn
+++ b/build/config/compiler/BUILD.gn
@@ -2280,6 +2280,13 @@ config("win_pdbaltpath") {
  # build reproducibility. Debuggers look for pdb files next to executables,
  # so there's no downside to always using this.
  ldflags = [ "/pdbaltpath:%_PDB%" ]
+
+  if (enable_cet_shadow_stack && use_lld) {
+    # TODO(crbug.com/1136664): Investigate why Windows does not recognize
+    # CET in some binaries linked by LLD with /DEBUG.
+    # This is the best place for work around as it follows all /DEBUG uses.
+    ldflags += [ "/DEBUG:NONE" ]
+  }
 }

 # Full symbols.
@@ -2544,3 +2551,10 @@ buildflag_header("compiler_buildflags") {

  flags = [ "CLANG_PGO=$chrome_pgo_phase" ]
 }
+
+config("cet_shadow_stack") {
+  if (enable_cet_shadow_stack && is_win) {
+    assert(target_cpu == "x64")
+    ldflags = [ "/CETCOMPAT" ]
+  }
+}
--- a/build/config/compiler/compiler.gni
+++ b/build/config/compiler/compiler.gni
@@ -97,6 +97,14 @@ declare_args() {
  # Where to redirect clang crash diagnoses
  clang_diagnostic_dir =
      rebase_path("//tools/clang/crashreports", root_build_dir)
+
+  # Experimental option to mark binaries as compatible with Shadow
+  # Stack of Control-flow Enforcement Technology (CET). If Windows version
+  # and hardware supports the feature and it's enabled by OS then additional
+  # additional validation of return address will be performed as mitigation
+  # against Return-oriented programming (ROP).
+  # https://chromium.googlesource.com/chromium/src/+/master/docs/design/sandbox.md#cet-shadow-stack
+  enable_cet_shadow_stack = false
 }

 assert(!is_cfi || use_thin_lto, "CFI requires ThinLTO")

--- a/docs/design/sandbox.md
+++ b/docs/design/sandbox.md
@@ -362,6 +362,13 @@ policies on the target process for enforcing security characteristics.
 * Compiler/Linker opt-in, not a run-time policy opt-in.  See
 [MSDN](https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx).

+#### CET Shadow Stack:
+
+* Only in Insider Builds of Windows 10 yet.
+* It's being evaluated and not enabled for any processes.  See
+[ticket](https://bugs.chromium.org/p/chromium/issues/detail?id=1136224),
+[MSDN](https://docs.microsoft.com/en-us/cpp/build/reference/cetcompat?view=vs-2019).
+
 #### Disable Font Loading:

 * &gt;= Win10