This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Allow enabling control flow guard in Windows build
Type: security Stage: resolved
Components: Build, Windows Versions: Python 3.11, Python 3.10, Python 3.9, Python 3.8
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: steve.dower Nosy List: miss-islington, neonene, paul.moore, steve.dower, tim.golden, zach.ware
Priority: normal Keywords: patch

Created on 2021-06-10 17:07 by steve.dower, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 26645 merged steve.dower, 2021-06-10 17:10
PR 26681 merged miss-islington, 2021-06-11 20:35
PR 26682 merged miss-islington, 2021-06-11 20:36
Messages (7)
msg395556 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-06-10 17:07 
Currently we don't enable CFG (which is runtime protection against code injection into tables), because it likely has a performance impact and the kind of attack is outside our scope.

However, we should make it easier to build CPython with CFG enabled, so that third-parties who do want to include it in their scope can do so.
msg395557 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-06-10 17:12 
FWIW, I don't actually know what the performance impact is. I'm not set up for running the perf benchmarks, and I don't know if anyone else is (on Windows), but if someone would like to then it'll be easier once the environment option to enable it is in there.
msg395661 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-06-11 20:35 
New changeset 5af56c6f2a0d11df37fed7ecaaf321cf6926ba13 by Steve Dower in branch 'main':
bpo-44381: Windows build now allows enabling control flow guard (GH-26645)
https://github.com/python/cpython/commit/5af56c6f2a0d11df37fed7ecaaf321cf6926ba13
msg395662 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-06-11 21:17 
New changeset 9580d3894ad158ae909e7573a02dcd087de0b673 by Miss Islington (bot) in branch '3.9':
bpo-44381: Windows build now allows enabling control flow guard (GH-26645)
https://github.com/python/cpython/commit/9580d3894ad158ae909e7573a02dcd087de0b673
msg395663 - (view) Author: miss-islington (miss-islington) Date: 2021-06-11 21:21 
New changeset 42612db10792dd069149063f67a3b1db700bc7ee by Miss Islington (bot) in branch '3.10':
bpo-44381: Windows build now allows enabling control flow guard (GH-26645)
https://github.com/python/cpython/commit/42612db10792dd069149063f67a3b1db700bc7ee
msg400281 - (view) Author: neonene (neonene) * Date: 2021-08-25 18:12 
I'd like to leave my pyperformance (x64) results here.
cpython: ae5259171b8ef62165e061b9dea7ad645a5131a2 (2021-8-23)

1) release + CFG      : 1.00x

2) release + CFG,/Ob3 : 1.05x faster | 41 faster
                                     |  9 slower
                                     |  8 not significant

3) release (default)  : 1.07x faster | 52 faster
                                     |  4 slower (regex_v8,
                                     |            regex_effbot,
                                     |            nbody,
                                     |            hexiom)
                                     |  2 not significant

4) release + /Ob3     : 1.11x faster | 56 faster
                                     |  1 slower (regex_v8)
                                     |  1 not significant (regex_dna)

5) PGO + CFG          : 1.15x faster | 53 faster
                                     |  2 slower (regex_dna,
                                     |            pidigits)
                                     |  3 not significant

6) PGO + CFG,/Ob3     : 1.15x faster | 54 faster
                                     |  1 slower (regex_dna)
                                     |  3 not significant

7) PGO (default)      : 1.21x faster | 56 faster
                                     |  1 slower (regex_dna)
                                     |  1 not significant (regex_effbot)

8) PGO + /Ob3         : 1.21x faster | 57 faster
                                     |  1 slower (regex_dna)
                                     |  0 not significant
msg400294 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-08-25 19:34 
That looks to me like no impact at all, which is great to see!
History
Date User Action Args
2022-04-11 14:59:46adminsetgithub: 88547
2021-08-25 19:34:26steve.dowersetmessages: + msg400294
2021-08-25 18:12:21neonenesetnosy: + neonene
messages: + msg400281
2021-06-11 21:39:25steve.dowersetstatus: open -> closed
resolution: fixed
stage: patch review -> resolved
2021-06-11 21:21:18miss-islingtonsetmessages: + msg395663
2021-06-11 21:17:14steve.dowersetmessages: + msg395662
2021-06-11 20:36:03miss-islingtonsetpull_requests: + pull_request25269
2021-06-11 20:35:57miss-islingtonsetnosy: + miss-islington
pull_requests: + pull_request25268
2021-06-11 20:35:48steve.dowersetmessages: + msg395661
2021-06-10 17:12:44steve.dowersetmessages: + msg395557
2021-06-10 17:10:58steve.dowersetkeywords: + patch
stage: patch review
pull_requests: + pull_request25231
2021-06-10 17:07:15steve.dowercreate