Ubuntu 19.10 To Harden Its Compiler With Stack Clash Protection & Intel CET

In addition to discontinuing i386 support, Canonical announced another change being worked on for Ubuntu 19.10 is compiler hardening.

In the name of increased security, their GCC 9 compiler for Ubuntu 19.10 will have some additional tunables enabled: -fstack-clash-protection and -fcf-protection.

The stack clash protection is designed to fend off stack clash attacks by checking pages at allocation-time that instead would result in ideally just a segmentation fault.

The CF-Protection flag is for enabling Intel Control-Flow Enforcement Technology. Intel CET fends off ROP and COP/JOP style attacks thanks to indirect branch tracking and making use of a shadow stack. The Linux CET support came together over the past year though only works with the newest of Intel CPUs while for older CPUs it's treated as a no-op.

Confirmation of flipping on these new GCC hardening flags by default and other details can be found via this mailing list post.

Ubuntu 19.10 will be shipping with the new GCC 9 compiler release as well as newest Glibc and other components with this being the cycle prior to Ubuntu 20.04 LTS.