Skip to content

Commit b233171

Browse files
devincoughlinjakepetroules
devincoughlin
authored and
jakepetroules
committed
Add compiler build settings for Enhanced Security
Add a new "Security" build settings group and an "Enhanced Security" build setting that enables a number of security settings at once, including: * Enabling pointer authentication * Enabling the typed allocator * Enabling hardened libc++ * Enabling stack zero initialization * Enabling security relevant compiler warnings The goal is that enabling the Enhanced Security build setting should enable all of these other settings by default and that projects will be able to explicitly disable individual settings if needed. rdar://151195113
1 parent c6273fa commit b233171

File tree

7 files changed

+915
-15
lines changed

7 files changed

+915
-15
lines changed

Sources/SWBCore/Specs/CoreBuildSystem.xcspec

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3535,6 +3535,33 @@ For more information on mergeable libraries, see [Configuring your project to us
35353535
Category = BuildOptions;
35363536
Description = "Enables building with code coverage instrumentation. This is only used when the build has code coverage enabled, which is typically done via the Xcode scheme or test plan settings.";
35373537
},
3538+
{ Name = ENABLE_ENHANCED_SECURITY;
3539+
Type = Boolean;
3540+
DefaultValue = NO;
3541+
Category = SecurityPolicy;
3542+
},
3543+
{ Name = ENABLE_POINTER_AUTHENTICATION;
3544+
Type = Boolean;
3545+
DefaultValue = "$(ENABLE_ENHANCED_SECURITY)";
3546+
Category = SecurityPolicy;
3547+
},
3548+
{ Name = ENABLE_SECURITY_COMPILER_WARNINGS;
3549+
Type = Boolean;
3550+
DefaultValue = "$(ENABLE_ENHANCED_SECURITY)";
3551+
Category = SecurityPolicy;
3552+
},
3553+
{
3554+
Name = "ENABLE_C_BOUNDS_SAFETY";
3555+
Type = Boolean;
3556+
DefaultValue = NO;
3557+
Category = Security;
3558+
},
3559+
{
3560+
Name = "ENABLE_CPLUSPLUS_BOUNDS_SAFE_BUFFERS";
3561+
Type = Boolean;
3562+
DefaultValue = NO;
3563+
Category = Security;
3564+
},
35383565
{ Name = ENABLE_TESTABILITY;
35393566
Type = Boolean;
35403567
DefaultValue = NO;

Sources/SWBCore/Specs/en.lproj/CoreBuildSystem.strings

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -669,6 +669,35 @@ Typically this path is not set per target, but is provided as an option on the c
669669
"[MODULE_STOP]-name" = "Module Stop Routine";
670670
"[MODULE_STOP]-description" = "This defines the name of the kernel module stop routine. This is only used when building kernel extensions.";
671671

672+
// Security Settings
673+
674+
"[SecurityPolicy]-category" = "Security";
675+
676+
"[ENABLE_ENHANCED_SECURITY]-name" = "Enable Enhanced Security";
677+
"[ENABLE_ENHANCED_SECURITY]-description" = "Enables a set of security build settings, including pointer authentication, typed allocator support, hardened C++ standard library, and security-related compiler warnings. These settings can be disabled individually.";
678+
"[ENABLE_ENHANCED_SECURITY]-value-[YES]" = "Yes";
679+
"[ENABLE_ENHANCED_SECURITY]-value-[NO]" = "No";
680+
681+
"[ENABLE_POINTER_AUTHENTICATION]-name" = "Enable Pointer Authentication";
682+
"[ENABLE_POINTER_AUTHENTICATION]-description" = "Builds the target with pointer authentication enabled. Adds an additional architectural slice (arm64e) with pointer authentication instructions.";
683+
"[ENABLE_POINTER_AUTHENTICATION]-value-[YES]" = "Yes";
684+
"[ENABLE_POINTER_AUTHENTICATION]-value-[NO]" = "No";
685+
686+
"[ENABLE_SECURITY_COMPILER_WARNINGS]-name" = "Enable Security-Relevant Compiler Warnings";
687+
"[ENABLE_SECURITY_COMPILER_WARNINGS]-description" = "Enables a set of security-relevant compiler warnings that check for common bounds-safety and lifetime-safety issues.";
688+
"[ENABLE_SECURITY_COMPILER_WARNINGS]-value-[YES]" = "Yes";
689+
"[ENABLE_SECURITY_COMPILER_WARNINGS]-value-[NO]" = "No";
690+
691+
"[ENABLE_C_BOUNDS_SAFETY]-name" = "Enable Language Extension for Bounds Safety in C";
692+
"[ENABLE_C_BOUNDS_SAFETY]-description" = "Enables the -fbounds-safety language extension, which guarantees bounds safety for C";
693+
"[ENABLE_C_BOUNDS_SAFETY]-value-[NO]" = "No";
694+
"[ENABLE_C_BOUNDS_SAFETY]-value-[YES]" = "Yes";
695+
696+
"[ENABLE_CPLUSPLUS_BOUNDS_SAFE_BUFFERS]-name" = "Enforce Bounds-Safe Buffer Usage in C++";
697+
"[ENABLE_CPLUSPLUS_BOUNDS_SAFE_BUFFERS]-description" = "Enables a strict programming model that guarantees bounds safety in C++ by rejecting raw pointer arithmetic (enabling the -Wunsafe-buffer-usage warning as an error) and requiring the use of hardened C++ Standard Library APIs for buffer manipulation.";
698+
"[ENABLE_CPLUSPLUS_BOUNDS_SAFE_BUFFERS]-value-[NO]" = "No";
699+
"[ENABLE_CPLUSPLUS_BOUNDS_SAFE_BUFFERS]-value-[YES]" = "Yes";
700+
672701
// Compiler Version
673702

674703
"[GCC_VERSION]-name" = "Compiler for C/C++/Objective-C";

Sources/SWBUniversalPlatform/Specs/Clang.xcspec

Lines changed: 154 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -536,7 +536,7 @@
536536
FileTypes = (
537537
"sourcecode.c.c",
538538
);
539-
DefaultValue = NO;
539+
DefaultValue = "$(ENABLE_C_BOUNDS_SAFETY)";
540540
CommandLineArgs = {
541541
YES = ( "-fbounds-safety" );
542542
NO = ();
@@ -640,14 +640,74 @@
640640
Category = LanguageCXX;
641641
},
642642
{
643-
Name = __LIBRARY_HARDENING_DEFAULT_VALUE_0;
643+
Name = __ENHANCED_SECURITY_OR_BOUNDS_SAFE_BUFFERS_YES_YES;
644+
Type = String;
645+
DefaultValue = "YES";
646+
},
647+
{
648+
Name = __ENHANCED_SECURITY_OR_BOUNDS_SAFE_BUFFERS_YES_NO;
649+
Type = String;
650+
DefaultValue = "YES";
651+
},
652+
{
653+
Name = __ENHANCED_SECURITY_OR_BOUNDS_SAFE_BUFFERS_NO_YES;
654+
Type = String;
655+
DefaultValue = "YES";
656+
},
657+
{
658+
Name = __ENHANCED_SECURITY_OR_BOUNDS_SAFE_BUFFERS_NO_NO;
659+
Type = String;
660+
DefaultValue = "NO";
661+
},
662+
{
663+
Name = __ENHANCED_SECURITY_OR_BOUNDS_SAFE_BUFFERS;
664+
Type = String;
665+
DefaultValue = "$(__ENHANCED_SECURITY_OR_BOUNDS_SAFE_BUFFERS_$(ENABLE_ENHANCED_SECURITY)_$(ENABLE_CPLUSPLUS_BOUNDS_SAFE_BUFFERS))";
666+
},
667+
{
668+
Name = __LIBRARY_HARDENING_DEFAULT_VALUE_OPT_LEVEL_0_ENHANCED_SECURITY_OR_BOUNDS_SAFE_BUFFERS_YES;
669+
Type = String;
670+
DefaultValue = "debug";
671+
},
672+
{
673+
Name = __LIBRARY_HARDENING_DEFAULT_VALUE_OPT_LEVEL_0_ENHANCED_SECURITY_OR_BOUNDS_SAFE_BUFFERS_NO;
644674
Type = String;
645675
DefaultValue = "debug";
646676
},
677+
{
678+
Name = __LIBRARY_HARDENING_DEFAULT_VALUE_OPT_LEVEL_1_ENHANCED_SECURITY_OR_BOUNDS_SAFE_BUFFERS_YES;
679+
Type = String;
680+
DefaultValue = "fast";
681+
},
682+
{
683+
Name = __LIBRARY_HARDENING_DEFAULT_VALUE_OPT_LEVEL_2_ENHANCED_SECURITY_OR_BOUNDS_SAFE_BUFFERS_YES;
684+
Type = String;
685+
DefaultValue = "fast";
686+
},
687+
{
688+
Name = __LIBRARY_HARDENING_DEFAULT_VALUE_OPT_LEVEL_3_ENHANCED_SECURITY_OR_BOUNDS_SAFE_BUFFERS_YES;
689+
Type = String;
690+
DefaultValue = "fast";
691+
},
692+
{
693+
Name = __LIBRARY_HARDENING_DEFAULT_VALUE_OPT_LEVEL_s_ENHANCED_SECURITY_OR_BOUNDS_SAFE_BUFFERS_YES;
694+
Type = String;
695+
DefaultValue = "fast";
696+
},
697+
{
698+
Name = __LIBRARY_HARDENING_DEFAULT_VALUE_OPT_LEVEL_fast_ENHANCED_SECURITY_OR_BOUNDS_SAFE_BUFFERS_YES;
699+
Type = String;
700+
DefaultValue = "fast";
701+
},
702+
{
703+
Name = __LIBRARY_HARDENING_DEFAULT_VALUE_OPT_LEVEL_z_ENHANCED_SECURITY_OR_BOUNDS_SAFE_BUFFERS_YES;
704+
Type = String;
705+
DefaultValue = "fast";
706+
},
647707
{
648708
Name = __LIBRARY_HARDENING_DEFAULT_VALUE;
649709
Type = String;
650-
DefaultValue = "$(__LIBRARY_HARDENING_DEFAULT_VALUE_$(GCC_OPTIMIZATION_LEVEL))";
710+
DefaultValue = "$(__LIBRARY_HARDENING_DEFAULT_VALUE_OPT_LEVEL_$(GCC_OPTIMIZATION_LEVEL)_ENHANCED_SECURITY_OR_BOUNDS_SAFE_BUFFERS_$(__ENHANCED_SECURITY_OR_BOUNDS_SAFE_BUFFERS))";
651711
},
652712
{
653713
Name = "CLANG_CXX_STANDARD_LIBRARY_HARDENING";
@@ -736,11 +796,26 @@
736796
);
737797
Category = LanguageCXX;
738798
},
799+
{
800+
Name = "_UNSAFE_BUFFER_USAGE_DEFAULT_ENABLE_SAFE_BUFFERS_NO";
801+
Type = String;
802+
DefaultValue = "DEFAULT";
803+
},
804+
{
805+
Name = "_UNSAFE_BUFFER_USAGE_DEFAULT_ENABLE_SAFE_BUFFERS_YES";
806+
Type = String;
807+
DefaultValue = "YES_ERROR";
808+
},
809+
{
810+
Name = "_UNSAFE_BUFFER_USAGE_DEFAULT";
811+
Type = String;
812+
DefaultValue = "$(_UNSAFE_BUFFER_USAGE_DEFAULT_ENABLE_SAFE_BUFFERS_$(ENABLE_CPLUSPLUS_BOUNDS_SAFE_BUFFERS))";
813+
},
739814
{
740815
Name = "CLANG_WARN_UNSAFE_BUFFER_USAGE";
741816
Type = Enumeration;
742817
Values = ( DEFAULT, YES, YES_ERROR, NO );
743-
DefaultValue = DEFAULT;
818+
DefaultValue = "$(_UNSAFE_BUFFER_USAGE_DEFAULT)";
744819
CommandLineArgs = {
745820
DEFAULT = ();
746821
NO = ( "-Wno-unsafe-buffer-usage" );
@@ -801,7 +876,7 @@
801876
{
802877
Name = "GCC_OPTIMIZATION_LEVEL";
803878
Type = Enumeration;
804-
// NOTE: Updating these values requires updating LLVM_OPTIMIZATION_LEVEL_VAL_X.
879+
// NOTE: Updating these values requires updating LLVM_OPTIMIZATION_LEVEL_VAL_X and CLANG_CXX_STANDARD_LIBRARY_HARDENING.
805880
Values = (
806881
0,
807882
1,
@@ -945,6 +1020,22 @@
9451020
};
9461021
Category = WarningsPolicy;
9471022
},
1023+
{ Name = CLANG_ENABLE_SECURITY_COMPILER_WARNINGS;
1024+
Type = Boolean;
1025+
DefaultValue = "$(ENABLE_SECURITY_COMPILER_WARNINGS)";
1026+
CommandLineArgs = {
1027+
YES = ("-Wbuiltin-memcpy-chk-size",
1028+
"-Wformat-nonliteral",
1029+
"-Warray-bounds",
1030+
"-Warray-bounds-pointer-arithmetic",
1031+
"-Wsuspicious-memaccess",
1032+
"-Wsizeof-array-div",
1033+
"-Wsizeof-pointer-div",
1034+
"-Wreturn-stack-address");
1035+
NO = ();
1036+
};
1037+
// Hidden.
1038+
},
9481039
{
9491040
Name = "GCC_TREAT_IMPLICIT_FUNCTION_DECLARATIONS_AS_ERRORS";
9501041
Type = Boolean;
@@ -1381,7 +1472,7 @@
13811472
{
13821473
Name = "CLANG_WARN_EMPTY_BODY";
13831474
Type = Boolean;
1384-
DefaultValue = NO;
1475+
DefaultValue = "$(CLANG_ENABLE_SECURITY_COMPILER_WARNINGS)";
13851476
CommandLineArgs = {
13861477
YES = ( "-Wempty-body" );
13871478
NO = ( "-Wno-empty-body" );
@@ -1447,7 +1538,7 @@
14471538
{
14481539
Name = "GCC_WARN_SHADOW";
14491540
Type = Boolean;
1450-
DefaultValue = NO;
1541+
DefaultValue = "$(CLANG_ENABLE_SECURITY_COMPILER_WARNINGS)";
14511542
CommandLineArgs = {
14521543
YES = (
14531544
"-Wshadow",
@@ -1800,6 +1891,27 @@
18001891
};
18011892
Category = Warnings;
18021893
},
1894+
{
1895+
Name = "CLANG_ENABLE_STACK_ZERO_INIT";
1896+
Type = Boolean;
1897+
DefaultValue = "$(ENABLE_ENHANCED_SECURITY)";
1898+
Category = Security;
1899+
},
1900+
{
1901+
Name = "_CLANG_TRIVIAL_AUTO_VAR_INIT_DEFAULT_ENABLE_ZERO_INIT_YES";
1902+
Type = Boolean;
1903+
DefaultValue = "zero";
1904+
},
1905+
{
1906+
Name = "_CLANG_TRIVIAL_AUTO_VAR_INIT_DEFAULT_ENABLE_ZERO_INIT_NO";
1907+
Type = Boolean;
1908+
DefaultValue = "default";
1909+
},
1910+
{
1911+
Name = "_CLANG_TRIVIAL_AUTO_VAR_INIT_DEFAULT";
1912+
Type = String;
1913+
DefaultValue = "$(_CLANG_TRIVIAL_AUTO_VAR_INIT_DEFAULT_ENABLE_ZERO_INIT_$(CLANG_ENABLE_STACK_ZERO_INIT))";
1914+
},
18031915
{
18041916
Name = "CLANG_TRIVIAL_AUTO_VAR_INIT";
18051917
Type = Enumeration;
@@ -1809,7 +1921,7 @@
18091921
zero,
18101922
pattern,
18111923
);
1812-
DefaultValue = default;
1924+
DefaultValue = "$(_CLANG_TRIVIAL_AUTO_VAR_INIT_DEFAULT)";
18131925
CommandLineArgs = {
18141926
default = ( );
18151927
uninitialized = ( "-ftrivial-auto-var-init=uninitialized" );
@@ -2900,19 +3012,50 @@
29003012
Condition = "$(CLANG_UNDEFINED_BEHAVIOR_SANITIZER_TRAP_ON_SECURITY_ISSUES) && $(GCC_OPTIMIZATION_LEVEL) != 0";
29013013
},
29023014
{
2903-
Name = "CLANG_ENABLE_C_TYPED_ALLOCATOR_SUPPORT";
3015+
Name = "_CLANG_ENABLE_TYPED_ALLOCATOR_SUPPORT_DEFAULT_ENHANCED_SECURITY_YES";
3016+
Type = Enumeration;
3017+
Values = (
3018+
compiler-default,
3019+
YES,
3020+
NO,
3021+
);
3022+
DefaultValue = YES;
3023+
},
3024+
{
3025+
Name = "_CLANG_ENABLE_TYPED_ALLOCATOR_SUPPORT_DEFAULT_ENHANCED_SECURITY_NO";
29043026
Type = Enumeration;
29053027
Values = (
29063028
compiler-default,
29073029
YES,
29083030
NO,
29093031
);
29103032
DefaultValue = compiler-default;
3033+
},
3034+
{
3035+
Name = "_CLANG_ENABLE_TYPED_ALLOCATOR_SUPPORT_DEFAULT";
3036+
Type = Enumeration;
3037+
Values = (
3038+
compiler-default,
3039+
YES,
3040+
NO,
3041+
);
3042+
DefaultValue = "$(_CLANG_ENABLE_TYPED_ALLOCATOR_SUPPORT_DEFAULT_ENHANCED_SECURITY_$(ENABLE_ENHANCED_SECURITY))";
3043+
},
3044+
{
3045+
Name = "CLANG_ENABLE_C_TYPED_ALLOCATOR_SUPPORT";
3046+
Type = Enumeration;
3047+
Values = (
3048+
compiler-default,
3049+
YES,
3050+
NO,
3051+
);
3052+
DefaultValue = "$(_CLANG_ENABLE_TYPED_ALLOCATOR_SUPPORT_DEFAULT)";
29113053
CommandLineArgs = {
29123054
compiler-default = ();
29133055
YES = ("-ftyped-memory-operations");
29143056
NO = ("-fno-typed-memory-operations");
29153057
};
3058+
Category = Language;
29163059
},
29173060
{
29183061
Name = "CLANG_ENABLE_CPLUSPLUS_TYPED_ALLOCATOR_SUPPORT";
@@ -2922,7 +3065,7 @@
29223065
YES,
29233066
NO,
29243067
);
2925-
DefaultValue = compiler-default;
3068+
DefaultValue = "$(_CLANG_ENABLE_TYPED_ALLOCATOR_SUPPORT_DEFAULT)";
29263069
CommandLineArgs = {
29273070
compiler-default = ();
29283071
YES = ("-ftyped-cxx-new-delete", "-ftyped-cxx-delete");
@@ -2933,6 +3076,7 @@
29333076
YES = ("-ftyped-cxx-new-delete", "-ftyped-cxx-delete");
29343077
NO = ();
29353078
};
3079+
Category = LanguageCXX;
29363080
},
29373081
// Index-while-building options, not visible in build settings.
29383082
{

Sources/SWBUniversalPlatform/Specs/Ld.xcspec

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -736,7 +736,6 @@
736736
);
737737
};
738738
},
739-
740739
{
741740
Name = "__CREATE_INFOPLIST_SECTION_IN_BINARY";
742741
Type = Boolean;

Sources/SWBUniversalPlatform/Specs/en.lproj/Apple Clang.strings

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -695,6 +695,23 @@ The restrictions on `offsetof` may be relaxed in a future version of the C++ sta
695695
"[CLANG_ENABLE_MODULES]-value-[YES]" = "Yes";
696696
"[CLANG_ENABLE_MODULES]-value-[NO]" = "No";
697697

698+
"[CLANG_ENABLE_STACK_ZERO_INIT]-name" = "Enable Stack Zero Initialization";
699+
"[CLANG_ENABLE_STACK_ZERO_INIT]-description" = "Automatically initializes stack variables to zero as a security protection.";
700+
"[CLANG_ENABLE_STACK_ZERO_INIT]-value-[YES]" = "Yes";
701+
"[CLANG_ENABLE_STACK_ZERO_INIT]-value-[NO]" = "No";
702+
703+
"[CLANG_ENABLE_C_TYPED_ALLOCATOR_SUPPORT]-name" = "Enable Typed Allocator in C";
704+
"[CLANG_ENABLE_C_TYPED_ALLOCATOR_SUPPORT]-description" = "Enables compiler rewriting of allocation calls in C to provide type information to the allocator. Mitigates use-after-free security vulnerabilities.";
705+
"[CLANG_ENABLE_C_TYPED_ALLOCATOR_SUPPORT]-value-[YES]" = "Yes";
706+
"[CLANG_ENABLE_C_TYPED_ALLOCATOR_SUPPORT]-value-[NO]" = "No";
707+
"[CLANG_ENABLE_C_TYPED_ALLOCATOR_SUPPORT]-value-[compiler-default]" = "Compiler Default";
708+
709+
"[CLANG_ENABLE_CPLUSPLUS_TYPED_ALLOCATOR_SUPPORT]-name" = "Enable Typed Allocator in C++";
710+
"[CLANG_ENABLE_CPLUSPLUS_TYPED_ALLOCATOR_SUPPORT]-description" = "Enables compiler rewriting of allocation calls in C++ to provide type information to the allocator. Mitigates use-after-free security vulnerabilities.";
711+
"[CLANG_ENABLE_CPLUSPLUS_TYPED_ALLOCATOR_SUPPORT]-value-[YES]" = "Yes";
712+
"[CLANG_ENABLE_CPLUSPLUS_TYPED_ALLOCATOR_SUPPORT]-value-[NO]" = "No";
713+
"[CLANG_ENABLE_CPLUSPLUS_TYPED_ALLOCATOR_SUPPORT]-value-[compiler-default]" = "Compiler Default";
714+
698715
"[CLANG_MODULES_AUTOLINK]-name" = "Link Frameworks Automatically";
699716
"[CLANG_MODULES_AUTOLINK]-description" = "Automatically link SDK frameworks that are referenced using `#import` or `#include`. This feature requires also enabling support for modules. This build setting only applies to C-family languages.";
700717
"[CLANG_MODULES_AUTOLINK]-value-[YES]" = "Yes (when modules are enabled)";

0 commit comments

Comments
 (0)