🦊

C Compiler Hardening

References

Follow Siddhesh Poyarekar for compiler hardening improvements.

Follow Kees Cook for compiler harening improvements to the Linux Kernel.

Relevant presentations at GNU Tools Cauldron and Linux Security Summit.

Videos

jvoisin/compiler-flags-distro

Compiler flag defaults used across distros to build packages.

_FORTIFY_SOURCE=3

Mitigates buffer overflows and unsafe libc use.

-fstack-protector-strong

Enables run-time stack overflow verification using a stack canary. Has more coverage than -fstack-protector, but less than -fstack-protector-all

-D_GLIBCXX_ASSERTIONS

Provides compile-time best-practices errors for certain libc functions, and provides run-time buffer lengths and memory region checks.

_GLIBCXX_ASSERTIONS was developed not to impact ABI or big-O complexity.

The _GLIBCXX_ASSERTIONS macro defines a subset of the _GLIBCXX_DEBUG checks, with no impact on class layout and minimal impact on runtime (and no changes in algorithmic complexity). It is intended to be suitable for both debug builds and release builds. -@[email protected]

-fcf-protection=full

Indirect branch tracking and shadow stacks on most x86 archs. Prevents code reuse attacks (ROP/COP/JOP).

-mbranch-protection

Prevents code resuse attacks on arm64.

checking flags

dpkg-buildflags 
gcc -Q --help=optimizers
checksec