From Theo de Raadt of OpenBSD
Over the last 6 months we’ve worked on adding arm64 BTI & Intel IBT support in the kernels and all userland binaries. We have been fixing all the applications along the way. Many developers were involved. There is an innovative and substantial difference in our approach compared to how Linux is doing it:
- On OpenBSD, IBT/BTI enforcement is on by default (meaning mandatory), unless a binary is linked to request opt-out (using -Wl,-z,nobtcfi). After all our fixes, very few application binaries need that, and that count is expected to shrink quickly as we (or upstreams) fix the outstanding issues.
- On Linux they are rehashing the same design as their executable-stack mechanism: if a single .o file in a resulting binary isn’t marked as IBT/BTI enforcement, the system will (silently) execute the program without enforcement and noone knows this is happening. So for an issue from around 2001, today Linux binaries with executable stack exist and work unsafely. I expect that 20 years from now Linux binaries without IBT/BTI enforcement will also exist and work unsafely…
You must log in or # to comment.