←back to thread

Compiler Options Hardening Guide for C and C++

(best.openssf.org)
232 points pjmlp | 1 comments | 31 Mar 25 11:01 UTC | HN request time: 0.263s | source
Show context
mid-kid ◴[31 Mar 25 15:36 UTC] No.43536251[source]
While all of these are very useful, you'll find that a lot of these are already enabled by default in many distributions of the gcc compiler. Sometimes they're embedded in the compiler itself through a patch or configure flag, and sometimes they're added through CFLAGS variables during the compilation of distribution packages. I can only really speak of gentoo, but here's a non-exhaustive list:

* -fPIE is enabled with --enable-default-pie in GCC's ./configure script

* -fstack-protector-strong is enabled with --enable-default-ssp in GCC's ./configure script

* -Wl,-z,relro is enabled with --enable-relro in Binutils' ./configure script

* -Wp,-D_FORTIFY_SOURCE=2, -fstack-clash-protection, -Wl,-z,now and -fcf-protection=full are enabled by default through patches to GCC in Gentoo.

* -Wl,--as-needed is enabled through the default LDFLAGS

For reference, here's the default compiler flags for a few other distributions. Note that these don't include GCC patches:

* Arch Linux: https://gitlab.archlinux.org/archlinux/packaging/packages/pa...

* Alpine Linux: https://gitlab.alpinelinux.org/alpine/abuild/-/blob/master/d...

* Debian: It's a tiny bit more obscure, but running `dpkg-buildflags` on a fresh container returns the following: CFLAGS=-g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/home/<myuser>=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection

replies(2): >>43536607 #>>43551959 #
jpfr ◴[31 Mar 25 16:07 UTC] No.43536607[source]
Most of these are implicit with -fhardened.

https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.h...

replies(1): >>43537145 #
1. dapperdrake ◴[31 Mar 25 16:54 UTC] No.43537145[source]
Finally.