Stream: git-wasmtime

Topic: wasmtime / issue #2288 Cranelift: support RELRO


view this post on Zulip Wasmtime GitHub notifications bot (Oct 01 2021 at 21:17):

akirilov-arm labeled issue #2288:

<!-- Please try to describe precisely what you would like to do in
Cranelift/Wasmtime and/or expect from it. You can answer the questions below if
they're relevant and delete this text before submitting. Thanks for opening an
issue! -->

Feature

RELRO is a security feature that makes as much sections as possible readonly after performing dynamic relocations.
<!-- What is the feature or code improvement you would like to do in
Cranelift/Wasmtime? -->

Benefit

Improved security.
<!-- What is the value of adding this in Cranelift/Wasmtime? -->

Implementation

Cranelift will need to get a PIC mode that doesn't use a PLT, but only a GOT. Then cranelift-object will need to be changed to use .data.rel.ro instead of .data for relocatable readonly data objects. There may be other steps necessary. This should all be optional.

<!-- Do you have an implementation plan, and/or ideas for data structures or
algorithms to use? -->

Alternatives

Not implementing this and thus having a bit less security.
<!-- Have you considered alternative implementations? If so, how are they
better or worse than your proposal? -->

view this post on Zulip Wasmtime GitHub notifications bot (Jan 26 2023 at 19:59):

bjorn3 commented on issue #2288:

Cranelift-object now uses .data.rel.ro by default whenever possible. Using the GOT instead of PLT is not required for RELRO to work. Actually enabling RELRO is done using a linker flag, which Cranelift doesn't have any control over. Rustc does pass it by default on most targets.

view this post on Zulip Wasmtime GitHub notifications bot (Jan 26 2023 at 19:59):

bjorn3 closed issue #2288:

<!-- Please try to describe precisely what you would like to do in
Cranelift/Wasmtime and/or expect from it. You can answer the questions below if
they're relevant and delete this text before submitting. Thanks for opening an
issue! -->

Feature

RELRO is a security feature that makes as much sections as possible readonly after performing dynamic relocations.
<!-- What is the feature or code improvement you would like to do in
Cranelift/Wasmtime? -->

Benefit

Improved security.
<!-- What is the value of adding this in Cranelift/Wasmtime? -->

Implementation

Cranelift will need to get a PIC mode that doesn't use a PLT, but only a GOT. Then cranelift-object will need to be changed to use .data.rel.ro instead of .data for relocatable readonly data objects. There may be other steps necessary. This should all be optional.

<!-- Do you have an implementation plan, and/or ideas for data structures or
algorithms to use? -->

Alternatives

Not implementing this and thus having a bit less security.
<!-- Have you considered alternative implementations? If so, how are they
better or worse than your proposal? -->


Last updated: Dec 23 2024 at 12:05 UTC