Windows/Visual Studio control flow guard

Fri, 10 May 2019 05:58:20 -0700 

Hello,   I wonder if some people already have looked into using Windows 
"control flow guard" in OpenJDK,
and can share the info they got.

See :

https://docs.microsoft.com/en-us/windows/desktop/SecBP/control-flow-guard

"Control Flow Guard (CFG) is a highly-optimized platform security feature that 
was created to combat memory corruption vulnerabilities.
By placing tight restrictions on where an application can execute code from, it 
makes it much harder for exploits to execute arbitrary
code through vulnerabilities such as buffer overflows. CFG extends previous 
exploit mitigation technologies such as /GS, DEP, and ASLR."

So it is basically a compiler+linker flag available in VS2015 and higher .

We set it for a while in our internal OpenJDK night builds , no issues seen so 
far .
(However I think more performance testing needs to be done )

Patch I used (might need an additional check for VS2015+ version) :

diff -r 23a04fe2aca2 make/autoconf/flags-cflags.m4
--- a/make/autoconf/flags-cflags.m4      Fri Apr 05 09:53:07 2019 -0400
+++ b/make/autoconf/flags-cflags.m4   Tue Apr 09 15:57:21 2019 +0200
@@ -501,9 +501,10 @@
     ALWAYS_DEFINES_JVM="-D_REENTRANT"
     ALWAYS_DEFINES_JDK="-D_GNU_SOURCE -D_REENTRANT -D_LARGEFILE64_SOURCE 
-DSTDC"
   elif test "x$TOOLCHAIN_TYPE" = xmicrosoft; then
+    # enable Windows  Control Flow Guard; this might need VS2015+
     ALWAYS_DEFINES_JDK="-DWIN32_LEAN_AND_MEAN -D_CRT_SECURE_NO_DEPRECATE \
-        -D_CRT_NONSTDC_NO_DEPRECATE -DWIN32 -DIAL"
-    ALWAYS_DEFINES_JVM="-DNOMINMAX -DWIN32_LEAN_AND_MEAN"
+        -D_CRT_NONSTDC_NO_DEPRECATE -DWIN32 -DIAL -guard:cf"
+    ALWAYS_DEFINES_JVM="-DNOMINMAX -DWIN32_LEAN_AND_MEAN -guard:cf"
   fi
   
###############################################################################
diff -r 23a04fe2aca2 make/autoconf/flags-ldflags.m4
--- a/make/autoconf/flags-ldflags.m4    Fri Apr 05 09:53:07 2019 -0400
+++ b/make/autoconf/flags-ldflags.m4 Tue Apr 09 15:57:21 2019 +0200
@@ -94,7 +94,8 @@
     BASIC_LDFLAGS_JVM_ONLY="-Wl,-lC_r -bbigtoc"
   elif test "x$TOOLCHAIN_TYPE" = xmicrosoft; then
-    BASIC_LDFLAGS="-nologo -opt:ref"
+    # enable Windows  Control Flow Guard; this might need VS2015+
+    BASIC_LDFLAGS="-nologo -opt:ref -guard:cf"
    BASIC_LDFLAGS_JDK_ONLY="-incremental:no"
     BASIC_LDFLAGS_JVM_ONLY="-opt:icf,8 -subsystem:windows"
   fi


Thanks, Matthias

Reply via email to