GCC (GNU Toolchain)
Tentative Definition of the Secret Attribute in GCC
<p>A critical challenge in C as a general-purpose language is the absence of the notion of secret data in its abstract machine. This results in information disclosure be poorly detected by compilers that lack the required semantics to model any vulnerability related to secrets leakage. Numerous dedicated tools have exists to overcome this limitation; each of which comes with its own annotation rules, tainting model, and more importantly, its own narrow scope for a specific disclosure vulnerability. Such discrepancy has created confusion for the concerned developers that are mostly unwilling to support multiple external tools, especially when they address one problem at a time. In this talk, we introduce the required C constructions to bring secrets to the GCC compiler through its system of attributes. The resulted framework, that we call GnuSecret, does not only define consistent notations and semantics to designate secrets directly in the Gnu-C language, but also propagates them throughout the program code by leveraging the symbolic execution engine embedded into the GCC Static Analyzer (GSA). Of particular interest, GnuSecret is not bound to a specific vulnerability, as its modular design allows it to virtually model any vulnerability related to the MITRE's CWE-200 and its children.</p>
Additional information
| Live Stream | https://live.fosdem.org/watch/ud6215 |
|---|---|
| Type | devroom |
| Language | English |
More sessions
| 1/31/26 |
<p>Welcome to the GCC (GNU Toolchain) devroom from the organizers.</p>
|
| 1/31/26 |
<p>RISC-V now spans 100+ extensions and over a thousand instructions. Binutils, QEMU, and other projects maintain separate instruction definitions, leading to duplication, mismatches, and slower support of new features.</p> <p>UDB provides a machine-readable, validated source of truth covering most of the ISA. Our generator currently produces Binutils and QEMU definitions directly from UDB, cutting the effort for standard and custom extension bring-up. And with automated CI checks against ...
|
| 1/31/26 |
<p>Version 6 of the DWARF debugging information format is still a work in progress, with many changes already accepted. This talk will focus on one fundamental change that has been accepted recently: "<a href="https://dwarfstd.org/issues/230524.1.html">Issue 230524.1</a>", also known as "Location Descriptions on the DWARF Stack".</p> <p>The compiler can emit small programs in a bytecode known as DWARF expressions that a consumer (usually a debugger) can evaluate in order to compute an object's ...
|
| 1/31/26 |
<p>We present a <a href="https://github.com/intel/dwarf-evaluator">DWARF-6 expression evaluator</a> implemented in OCaml. The evaluator is concise and lightweight. It aims to help tool developers learn and understand DWARF by examining the precise definitions of DWARF operators and by running examples. We believe this will be useful in particular with the "locations on the stack" change that's coming in DWARF-6.</p> <p>The evaluator comes with test cases, which can gradually turn into a ...
|
| 1/31/26 |
<p>Concurrency in pid 1 and systemd in general is a touchy subject. systemd is very trigger happy when it comes to forking and when combined with multithreading this causes all sorts of issues, so there's an unwritten policy to not use threads in systemd. This has lead to (in my opinion) a sprawling callback hell in every daemon and CLI in the project that performs concurrent operations.</p> <p>In this presentation I'll present my view on the issues with using threads in systemd and why ...
|
| 1/31/26 |
<p>Last year the GCC COBOL runtime library added libxml2 as a dependency because COBOL defines XML parsing and generation as part of the language. Thus was born an engineering challenge and controversy. Should libxml2 become part of GCC? Should it be linked statically or dynamically? Who will be responsible for CVE reports and security updates? Who, indeed, will maintain libxml2, now that the maintainer has stepped down? </p> <p>Just what every compiler project wonts on their plate on a Monday ...
|
| 1/31/26 |
<p>A brief introduction to GNU Algol 68 programming language through showcasing a real-world baremetal project. We'll cover: - How to setup GNU Algol 68 toolchain for baremetal platforms (Arm and RISC-V microcontrollers). - How to call C code to access machine's capabilities.</p>
|
