why does -D_FORTIFY_SOURCE=2 has no effect in my compilation?

Question

I have been adding some "compilation flags" to activate security measures in my binary. And then I check that the measures are implemented using the checksec tool. I have been able to activate all of them except for FORTIFY.

I keep geting

FORTIFY = No, Fortified = 0, Fortifiable = 4

as output from checksec even after compiling with -D_FORTIFY_SOURCE=2

I have to say that I use a common CMakeLists.txt for many binaries and I added the -D_FORTIFY_SOURCE=2 in the global add_compile_options section.

For all the other generated binaries the macro has the expected behavior, that is, the other binaries get "fortified".

I am using gcc 9.3.0, my application is written in c++17 and I compile with -O2.

Does someone have an idea why my binary is not getting fortified?

Thanks in advance.

Answer 1

Fortification done by checksec script is done heuristically: by grepping for _chk symbols in output of readelf --dyn-syms. So it will only be able to detect fortification if

• your source code contains calls to fortified functions (memset, memcpy, etc.)
• code has been compiled with optimizations (macro __OPTIMIZE__ is defined and greater than zero)
• GCC hasn't optimized them to unchecked versions or explicit loops (see e.g. gimple_fold_builtin_memory_chk in gimple-fold.c)

To identify the exact cause of your particular case we'll need an MVCE.