First time in South Korea. Three talks in two days. Over 200 minutes of public speaking. Two packed rooms. Made new connections. (My luggage arrived four days after me. 😅)
This week was very intense, and I’ll never forget this first visit to Seoul. I’m a bit exhausted right now, but really grateful.
Thanks, Korea! 🙏🏼🇰🇷♥️
See the abstracts and slides from my presentations below.
ab-osskr2025Enhancing spatial safety: Better array-bounds checking in C (and Linux)
The C language has historically suffered from a lack of proper bounds-checking on all types of arrays. The Linux Kernel Self-Protection Project has been addressing this issue for several years. In this presentation, we’ll learn about the most recent hardening efforts to resolve the problem of bounds-checking, particularly for fixed-size and flexible arrays.
We’ll explore the different mechanisms being used to harden key APIs like memcpy() against buffer overflows, which includes the use of some interesting built-in compiler functions. We’ll also talk about a couple of recent compiler options like -fstrict-flex-arrays and -Wflex-array-member-not-at-end, as well as the new counted_by attribute introduced in Clang 18 and GCC 15, which helps us gain run-time bounds-checking coverage on flexible arrays.
Overall, we’ll discuss how various challenges have been overcome, and highlight the innovations developed to solve the problem of array bounds-checking in both C and the Linux kernel once and for all.
I delivered the above (90-minute) presentation on November 4 and 5. The slides are basically the same for both sessions.
Below is the video of the presentation I gave on Nov 5. They haven’t uploaded the recording of the presentation on Nov 4, but as soon as it’s up, I’ll add it to my Presentations page. I personally liked that presentation better because the room was packed and people asked a lot of questions and made some comments.
wfamnae-osskr2025Upstream Kernel Hardening: Progress on enabling -Wflex-array-member-not-at-end
The -Wflex-array-member-not-at-end compiler option was introduced in GCC 14. It warns about flexible-array members in the middle of composite structures. At the time, it revealed around 60,000 warnings in the upstream Linux kernel. While the vast majority of these are duplicates, about 650 are unique and require individual auditing and resolution. These issues fall into various categories and differ in complexity, which adds to the challenge of globally enabling this flag upstream.
In this presentation, we’ll share the progress we’ve made on this work as part of the Linux Kernel Self-Protection Project (KSPP) over the last year. We’ll go over the challenges we’ve encountered, show concrete code examples, and demonstrate how to fix these kinds of problems. We’ll also discuss why enabling this option is important for the kernel, and how we plan to complete this work in the near future.
Whether you’re a seasoned kernel developer or someone looking to start contributing upstream, this presentation will introduce useful helpers and strategies you can use to fix existing code or implement new functionality, and in doing so, help us harden the Linux kernel for the benefit of everyone.
Linux Kernel Self-Protection Project 🛡⚔️🐧
