.. _hardening: =============== Hardening Modes =============== .. contents:: :local: .. _using-hardening-modes: Using hardening modes ===================== libc++ provides several hardening modes, where each mode enables a set of assertions that prevent undefined behavior caused by violating preconditions of the standard library. Different hardening modes make different trade-offs between the amount of checking and runtime performance. The available hardening modes are: - **Unchecked mode/none**, which disables all hardening checks. - **Fast mode**, which contains a set of security-critical checks that can be done with relatively little overhead in constant time and are intended to be used in production. We recommend most projects adopt this. - **Extensive mode**, which contains all the checks from fast mode and some additional checks for undefined behavior that incur relatively little overhead but aren't security-critical. Production builds requiring a broader set of checks than fast mode should consider enabling extensive mode. The additional rigour impacts performance more than fast mode: we recommend benchmarking to determine if that is acceptable for your program. - **Debug mode**, which enables all the available checks in the library, including heuristic checks that might have significant performance overhead as well as internal library assertions. This mode should be used in non-production environments (such as test suites, CI, or local development). We don’t commit to a particular level of performance in this mode and it’s *not* intended to be used in production. .. note:: Enabling hardening has no impact on the ABI. Notes for users --------------- As a libc++ user, consult with your vendor to determine the level of hardening enabled by default. Users wishing for a different hardening level to their vendor default are able to control the level by passing **one** of the following options to the compiler: - ``-D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_NONE`` - ``-D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_FAST`` - ``-D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_EXTENSIVE`` - ``-D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_DEBUG`` .. warning:: The exact numeric values of these macros are unspecified and users should not rely on them (e.g. expect the values to be sorted in any way). .. warning:: If you would prefer to override the hardening level on a per-translation-unit basis, you must do so **before** including any headers to avoid `ODR issues`_. .. _`ODR issues`: https://en.cppreference.com/w/cpp/language/definition#:~:text=is%20ill%2Dformed.-,One%20Definition%20Rule,-Only%20one%20definition .. note:: Since the static and shared library components of libc++ are built by the vendor, setting this macro will have no impact on the hardening mode for the pre-built components. Most libc++ code is header-based, so a user-provided value for ``_LIBCPP_HARDENING_MODE`` will be mostly respected. Notes for vendors ----------------- Vendors can set the default hardening mode by providing ``LIBCXX_HARDENING_MODE`` as a configuration option, with the possible values of ``none``, ``fast``, ``extensive`` and ``debug``. The default value is ``none`` which doesn't enable any hardening checks (this mode is sometimes called the ``unchecked`` mode). This option controls both the hardening mode that the precompiled library is built with and the default hardening mode that users will build with. If set to ``none``, the precompiled library will not contain any assertions, and user code will default to building without assertions. Vendors can also override the way the program is terminated when an assertion fails by :ref:`providing a custom header `. Assertion categories ==================== Inside the library, individual assertions are grouped into different *categories*. Each hardening mode enables a different set of assertion categories; categories provide an additional layer of abstraction that makes it easier to reason about the high-level semantics of a hardening mode. .. note:: Users are not intended to interact with these categories directly -- the categories are considered internal to the library and subject to change. - ``valid-element-access`` -- checks that any attempts to access a container element, whether through the container object or through an iterator, are valid and do not attempt to go out of bounds or otherwise access a non-existent element. This also includes operations that set up an imminent invalid access (e.g. incrementing an end iterator). For iterator checks to work, bounded iterators must be enabled in the ABI. Types like ``std::optional`` and ``std::function`` are considered containers (with at most one element) for the purposes of this check. - ``valid-input-range`` -- checks that ranges (whether expressed as an iterator pair, an iterator and a sentinel, an iterator and a count, or a ``std::range``) given as input to library functions are valid: - the sentinel is reachable from the begin iterator; - TODO(hardening): both iterators refer to the same container. ("input" here refers to "an input given to an algorithm", not to an iterator category) Violating assertions in this category leads to an out-of-bounds access. - ``non-null`` -- checks that the pointer being dereferenced is not null. On most modern platforms, the zero address does not refer to an actual location in memory, so a null pointer dereference would not compromise the memory security of a program (however, it is still undefined behavior that can result in strange errors due to compiler optimizations). - ``non-overlapping-ranges`` -- for functions that take several ranges as arguments, checks that those ranges do not overlap. - ``valid-deallocation`` -- checks that an attempt to deallocate memory is valid (e.g. the given object was allocated by the given allocator). Violating this category typically results in a memory leak. - ``valid-external-api-call`` -- checks that a call to an external API doesn't fail in an unexpected manner. This includes triggering documented cases of undefined behavior in an external library (like attempting to unlock an unlocked mutex in pthreads). Any API external to the library falls under this category (from system calls to compiler intrinsics). We generally don't expect these failures to compromise memory safety or otherwise create an immediate security issue. - ``compatible-allocator`` -- checks any operations that exchange nodes between containers to make sure the containers have compatible allocators. - ``argument-within-domain`` -- checks that the given argument is within the domain of valid arguments for the function. Violating this typically produces an incorrect result (e.g. ``std::clamp`` returns the original value without clamping it due to incorrect functors) or puts an object into an invalid state (e.g. a string view where only a subset of elements is accessible). This category is for assertions violating which doesn't cause any immediate issues in the library -- whatever the consequences are, they will happen in the user code. - ``pedantic`` -- checks preconditions that are imposed by the Standard, but violating which happens to be benign in libc++. - ``semantic-requirement`` -- checks that the given argument satisfies the semantic requirements imposed by the Standard. Typically, there is no simple way to completely prove that a semantic requirement is satisfied; thus, this would often be a heuristic check and it might be quite expensive. - ``internal`` -- checks that internal invariants of the library hold. These assertions don't depend on user input. - ``uncategorized`` -- for assertions that haven't been properly classified yet. This category is an escape hatch used for some existing assertions in the library; all new code should have its assertions properly classified. Mapping between the hardening modes and the assertion categories ================================================================ .. list-table:: :header-rows: 1 :widths: auto * - Category name - ``fast`` - ``extensive`` - ``debug`` * - ``valid-element-access`` - ✅ - ✅ - ✅ * - ``valid-input-range`` - ✅ - ✅ - ✅ * - ``non-null`` - ❌ - ✅ - ✅ * - ``non-overlapping-ranges`` - ❌ - ✅ - ✅ * - ``valid-deallocation`` - ❌ - ✅ - ✅ * - ``valid-external-api-call`` - ❌ - ✅ - ✅ * - ``compatible-allocator`` - ❌ - ✅ - ✅ * - ``argument-within-domain`` - ❌ - ✅ - ✅ * - ``pedantic`` - ❌ - ✅ - ✅ * - ``semantic-requirement`` - ❌ - ❌ - ✅ * - ``internal`` - ❌ - ❌ - ✅ * - ``uncategorized`` - ❌ - ✅ - ✅ .. note:: At the moment, each subsequent hardening mode is a strict superset of the previous one (in other words, each subsequent mode only enables additional assertion categories without disabling any), but this won't necessarily be true for any hardening modes that might be added in the future. .. note:: The categories enabled by each mode are subject to change and users should not rely on the precise assertions enabled by a mode at a given point in time. However, the library does guarantee to keep the hardening modes stable and to fulfill the semantics documented here. Hardening assertion failure =========================== In production modes (``fast`` and ``extensive``), a hardening assertion failure immediately ``_traps `` the program. This is the safest approach that also minimizes the code size penalty as the failure handler maps to a single instruction. The downside is that the failure provides no additional details other than the stack trace (which might also be affected by optimizations). TODO(hardening): describe ``__builtin_verbose_trap`` once we can use it. In the ``debug`` mode, an assertion failure terminates the program in an unspecified manner and also outputs the associated error message to the error output. This is less secure and increases the size of the binary (among other things, it has to store the error message strings) but makes the failure easier to debug. It also allows testing the error messages in our test suite. .. _override-assertion-handler: Overriding the assertion failure handler ---------------------------------------- Vendors can override the default assertion handler mechanism by following these steps: - create a header file that provides a definition of a macro called ``_LIBCPP_ASSERTION_HANDLER``. The macro will be invoked when a hardening assertion fails, with a single parameter containing a null-terminated string with the error message. - when configuring the library, provide the path to custom header (relative to the root of the repository) via the CMake variable ``LIBCXX_ASSERTION_HANDLER_FILE``. Note that almost all libc++ headers include the assertion handler header which means it should not include anything non-trivial from the standard library to avoid creating circular dependencies. There is no existing mechanism for users to override the assertion handler because the ability to do the override other than at configure-time carries an unavoidable code size penalty that would otherwise be imposed on all users, whether they require such customization or not. Instead, we let vendors decide what's right on their platform for their users -- a vendor who wishes to provide this capability is free to do so, e.g. by declaring the assertion handler as an overridable function. ABI === Setting a hardening mode does **not** affect the ABI. Each mode uses the subset of checks available in the current ABI configuration which is determined by the platform. It is important to stress that whether a particular check is enabled depends on the combination of the selected hardening mode and the hardening-related ABI options. Some checks require changing the ABI from the "default" to store additional information in the library classes -- e.g. checking whether an iterator is valid upon dereference generally requires storing data about bounds inside the iterator object. Using ``std::span`` as an example, setting the hardening mode to ``fast`` will always enable the ``valid-element-access`` checks when accessing elements via a ``std::span`` object, but whether dereferencing a ``std::span`` iterator does the equivalent check depends on the ABI configuration. ABI options ----------- Vendors can use the following ABI options to enable additional hardening checks: - ``_LIBCPP_ABI_BOUNDED_ITERATORS`` -- changes the iterator type of select containers (see below) to a bounded iterator that keeps track of whether it's within the bounds of the original container and asserts valid bounds on every dereference. ABI impact: changes the iterator type of the relevant containers. Supported containers: - ``span``; - ``string_view``. - ``_LIBCPP_ABI_BOUNDED_ITERATORS_IN_STRING`` -- changes the iterator type of ``basic_string`` to a bounded iterator that keeps track of whether it's within the bounds of the original container and asserts it on every dereference and when performing iterator arithmetics. ABI impact: changes the iterator type of ``basic_string`` and its specializations, such as ``string`` and ``wstring``. - ``_LIBCPP_ABI_BOUNDED_ITERATORS_IN_VECTOR`` -- changes the iterator type of ``vector`` to a bounded iterator that keeps track of whether it's within the bounds of the original container and asserts it on every dereference and when performing iterator arithmetics. Note: this doesn't yet affect ``vector``. ABI impact: changes the iterator type of ``vector`` (except ``vector``). - ``_LIBCPP_ABI_BOUNDED_UNIQUE_PTR``` -- tracks the bounds of the array stored inside a ``std::unique_ptr``, allowing it to trap when accessed out-of-bounds. This requires the ``std::unique_ptr`` to be created using an API like ``std::make_unique`` or ``std::make_unique_for_overwrite``, otherwise the bounds information is not available to the library. ABI impact: changes the layout of ``std::unique_ptr``, and the representation of a few library types that use ``std::unique_ptr`` internally, such as the unordered containers. - ``_LIBCPP_ABI_BOUNDED_ITERATORS_IN_STD_ARRAY`` -- changes the iterator type of ``std::array`` to a bounded iterator that keeps track of whether it's within the bounds of the container and asserts it on every dereference and when performing iterator arithmetic. ABI impact: changes the iterator type of ``std::array``, its size and its layout. ABI tags -------- We use ABI tags to allow translation units built with different hardening modes to interact with each other without causing ODR violations. Knowing how hardening modes are encoded into the ABI tags might be useful to examine a binary and determine whether it was built with hardening enabled. .. warning:: We don't commit to the encoding scheme used by the ABI tags being stable between different releases of libc++. The tags themselves are never stable, by design -- new releases increase the version number. The following describes the state of the latest release and is for informational purposes only. The first character of an ABI tag encodes the hardening mode: - ``f`` -- [f]ast mode; - ``s`` -- extensive ("[s]afe") mode; - ``d`` -- [d]ebug mode; - ``n`` -- [n]one mode. Hardened containers status ========================== .. list-table:: :header-rows: 1 :widths: auto * - Name - Member functions - Iterators (ABI-dependent) * - ``span`` - ✅ - ✅ * - ``string_view`` - ✅ - ✅ * - ``array`` - ✅ - ❌ * - ``vector`` - ✅ - ✅ (see note) * - ``string`` - ✅ - ✅ (see note) * - ``list`` - ✅ - ❌ * - ``forward_list`` - ❌ - ❌ * - ``deque`` - ✅ - ❌ * - ``map`` - ❌ - ❌ * - ``set`` - ❌ - ❌ * - ``multimap`` - ❌ - ❌ * - ``multiset`` - ❌ - ❌ * - ``unordered_map`` - Partial - Partial * - ``unordered_set`` - Partial - Partial * - ``unordered_multimap`` - Partial - Partial * - ``unordered_multiset`` - Partial - Partial * - ``mdspan`` - ✅ - ❌ * - ``optional`` - ✅ - N/A * - ``function`` - ❌ - N/A * - ``variant`` - N/A - N/A * - ``any`` - N/A - N/A * - ``expected`` - ✅ - N/A * - ``valarray`` - Partial - N/A * - ``bitset`` - ❌ - N/A Note: for ``vector`` and ``string``, the iterator does not check for invalidation (accesses made via an invalidated iterator still lead to undefined behavior) Note: ``vector`` iterator is not currently hardened. Testing ======= Please see :ref:`Testing documentation `. Further reading =============== - `Hardening RFC `_: contains some of the design rationale.