Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the most hardened set of options for GCC compiling C/C++?

What set of GCC options provide the best protection against memory corruption vulnerabilities such as Buffer Overflows, and Dangling Pointers? Does GCC provide any type of ROP chain mitigation? Are there performance concerns or other issues that would prevent this GCC option from being on a mission critical application in production?

I am looking at the Debian Hardening Guide as well as GCC Mudflap. Here are the following configurations I am considering:

-D_FORTIFY_SOURCE=2
-fstack-protector --param ssp-buffer-size=4
-fPIE -pie
-Wl,-z,relro,-z,now (ld -z relro and ld -z now)

Are there any improvments that can be made to this set of options? Assume the most recent version of GCC, if you know of any cool upcoming feature, let me know!

like image 705
rook Avatar asked Nov 24 '12 19:11

rook


People also ask

What do compiler flags do?

Compile-time flags are boolean values provided through the compiler via a macro method. They allow to conditionally include or exclude code based on compile time conditions. There are several default flags provided by the compiler with information about compiler options and the target platform.

What is compile option?

Compilers options (− x on Linux, and /Qx on Microsoft Windows) control which instructions the compiler uses within a function, while the processor(…) clause controls creation of non-standard functions using wider registers (YMM or ZMM) for passing SIMD data for parameters and results.


1 Answers

Not a GCC option, but compatible with GCC. See our CheckPointer tool, that detects most memory management errors.

There is a significant slowdown in execution; the tool has to track the validity of pointers and allocated storage, and that adds overhead.

like image 78
Ira Baxter Avatar answered Sep 21 '22 17:09

Ira Baxter