On Wed, Sep 03, 2025 at 09:24:22PM -0700, Kees Cook wrote: > > If the hacker knows these, it should be quite easy for them to come up with > > a > > matched typeid, is it? > > The hashes aren't considered secret -- they need to be known/match between > compilation units, and even across languages (Rust). The KCFI mitigation > is fundamentally an "exploit surface reduction" measure in the sense > that it limits an attacker's set of callable functions to only matching > typeids (instead of all functions or all executable memory). I discuss > this a big more here: > https://gcc.gnu.org/pipermail/gcc-patches/2025-August/693059.html
Also note that the kernel with re-hash all the values at boot time once more -- further increasing the difficulty of an attack.
