Windows/Visual Studio control flow guard

Baesken, Matthias matthias.baesken at sap.com
Fri May 10 12:56:14 UTC 2019 

Hello,   I wonder if some people already have looked into using Windows "control flow guard" in OpenJDK,
and can share the info they got.

See :

https://docs.microsoft.com/en-us/windows/desktop/SecBP/control-flow-guard

"Control Flow Guard (CFG) is a highly-optimized platform security feature that was created to combat memory corruption vulnerabilities.
By placing tight restrictions on where an application can execute code from, it makes it much harder for exploits to execute arbitrary
code through vulnerabilities such as buffer overflows. CFG extends previous exploit mitigation technologies such as /GS, DEP, and ASLR."

So it is basically a compiler+linker flag available in VS2015 and higher .

We set it for a while in our internal OpenJDK night builds , no issues seen so far .
(However I think more performance testing needs to be done )

Patch I used (might need an additional check for VS2015+ version) :

diff -r 23a04fe2aca2 make/autoconf/flags-cflags.m4
--- a/make/autoconf/flags-cflags.m4      Fri Apr 05 09:53:07 2019 -0400
+++ b/make/autoconf/flags-cflags.m4   Tue Apr 09 15:57:21 2019 +0200
@@ -501,9 +501,10 @@
     ALWAYS_DEFINES_JVM="-D_REENTRANT"
     ALWAYS_DEFINES_JDK="-D_GNU_SOURCE -D_REENTRANT -D_LARGEFILE64_SOURCE -DSTDC"
   elif test "x$TOOLCHAIN_TYPE" = xmicrosoft; then
+    # enable Windows  Control Flow Guard; this might need VS2015+
     ALWAYS_DEFINES_JDK="-DWIN32_LEAN_AND_MEAN -D_CRT_SECURE_NO_DEPRECATE \
-        -D_CRT_NONSTDC_NO_DEPRECATE -DWIN32 -DIAL"
-    ALWAYS_DEFINES_JVM="-DNOMINMAX -DWIN32_LEAN_AND_MEAN"
+        -D_CRT_NONSTDC_NO_DEPRECATE -DWIN32 -DIAL -guard:cf"
+    ALWAYS_DEFINES_JVM="-DNOMINMAX -DWIN32_LEAN_AND_MEAN -guard:cf"
   fi
   ###############################################################################
diff -r 23a04fe2aca2 make/autoconf/flags-ldflags.m4
--- a/make/autoconf/flags-ldflags.m4    Fri Apr 05 09:53:07 2019 -0400
+++ b/make/autoconf/flags-ldflags.m4 Tue Apr 09 15:57:21 2019 +0200
@@ -94,7 +94,8 @@
     BASIC_LDFLAGS_JVM_ONLY="-Wl,-lC_r -bbigtoc"
   elif test "x$TOOLCHAIN_TYPE" = xmicrosoft; then
-    BASIC_LDFLAGS="-nologo -opt:ref"
+    # enable Windows  Control Flow Guard; this might need VS2015+
+    BASIC_LDFLAGS="-nologo -opt:ref -guard:cf"
    BASIC_LDFLAGS_JDK_ONLY="-incremental:no"
     BASIC_LDFLAGS_JVM_ONLY="-opt:icf,8 -subsystem:windows"
   fi


Thanks, Matthias

More information about the build-dev mailing list