Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit f5573fde authored by Ken Chen's avatar Ken Chen
Browse files

Enable CFI (Control Flow Integrity) 

Enable Control Flow Integrity in DNS resolver

There is no significant difference in PSS (Proportional Set Size) between
non-CFI and CFI binaries. Th performance overhead is also negligible
according to [1][2].

non-CFI (netd + DNS resolver):
+-----------+---------+---------+---------+---------+
|           | round#1 | round#2 | round#3 |   Avg   |
+-----------+---------+---------+---------+---------+
| RssAnon   | 1556 kB | 1528 kB | 1592 kB | 1559 kB |
| RssFile   | 4792 kB | 4872 kB | 4648 kB | 4771 kB |
| RssShmem  | 176 kB  | 176 kB  | 172 kB  | 175 kB  |
| Total PSS | 4381 kB | 4386 kB | 4437 kB | 4401 kB |
+-----------+---------+---------+---------+---------+

CFI (netd + DNS resolver):
+-----------+---------+---------+---------+---------+
|           | round#1 | round#2 | round#3 |   Avg   |
+-----------+---------+---------+---------+---------+
| RssAnon   | 1604 kB | 1608 kB | 1592 kB | 1601 kB |
| RssFile   | 4528 kB | 4892 kB | 4916 kB | 4779 kB |
| RssShmem  | 176 kB  | 176 kB  | 176 kB  | 176 kB  |
| Total PSS | 3962 kB | 4523 kB | 4483 kB | 4323 kB |
+-----------+---------+---------+---------+---------+

Binary size of aarch64 (bytes)
+----------------------+---------+--------+
|                      | non-CFI |  CFI   |
+----------------------+---------+--------+
| libnetd_resolv       |  668584 | 734552 |
+----------------------+---------+--------+

[1] https://source.android.com/devices/tech/debug/cfi
[2] http://clang.llvm.org/docs/ControlFlowIntegrity.html#performance

Bug: 146408702
Test: AOSP master:
      1. patch commit to enable CFI on both netd and resolver.
      2. m
      3. flash ROM.
      4. atest under system/netd/

      Compatibility:
      1. flash Android Q ROM.
      2. patch commit enabling CFI on both netd and resolver in branch
         qt-aml-resolv-release.
      3. build com.android.resolv in branch qt-aml-resolv-release.
      4. adb install CFI enabled resolver apex into Q device (non-CFI
         netd).
      5. atest under packages/modules/DnsResolver.


Change-Id: I65ce931d57bd285e1c49c34b4231f8151380eae3
parent 0452b8cf
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment