The C language has historically suffered from a lack of proper bounds-checking on all types of arrays. The Linux Kernel Self-Protection Project has been addressing this issue for several years. In this presentation, we’ll learn about the most recent hardening efforts to resolve the problem of bounds-checking, particularly for fixed-size and flexible arrays.

We’ll explore the different mechanisms being used to harden key APIs like memcpy() against buffer overflows, which include the use of some interesting built-in compiler functions. We’ll also talk about a couple of recent compiler options like -fstrict-flex-arrays and -Wflex-array-member-not-at-counted_by attribute introduced in Clang 18 and GCC 15, which helps us gain run-time bounds-checking coverage on flexible arrays.

Overall, we’ll discuss how various challenges have been overcome, and highlight the innovations developed to solve the problem of array boundschecking in both C and the upstream Linux kernel once and for all.

Sobre el ponente:

Gustavo A. R. Silva works full-time as an Upstream Linux Kernel Engineer focused on hardening and proactive security. He has spent the past several years fixing all sorts of bugs and hardening the Linux kernel. His work is supported by The Linux Foundation and the Alpha-Omega project.

He’s a member of the Linux Kernel Self-Protection Project, and a regular speaker at Kernel Recipes and Open Source Summit. He has also presented at Linux Security Summit, Lund LinuxCon, Linux Plumbers Conference, Everything Open, The University of Adelaide, and Symposium sur la Sécurité des Technologies de l’Information et des Communications (SSTIC) as an invited speaker.