Menu
What set of GCC options provide the best protection against memory corruption vulnerabilities such as Buffer Overflows, and Dangling Pointers? Does GCC provide any type of ROP chain mitigation? Are there performance concerns or other issues that would prevent this GCC option from being on a mission critical application in production?
I am looking at the Debian Hardening Guide as well as GCC Mudflap. Here are the following configurations I am considering:
-D_FORTIFY_SOURCE=2
-fstack-protector --param ssp-buffer-size=4
-fPIE -pie
-Wl,-z,relro,-z,now (ld -z relro and ld -z now)
Are there any improvments that can be made to this set of options? Assume the most recent version of GCC, if you know of any cool upcoming feature, let me know!
705
Compile-time flags are boolean values provided through the compiler via a macro method. They allow to conditionally include or exclude code based on compile time conditions. There are several default flags provided by the compiler with information about compiler options and the target platform.
Compilers options (− x on Linux, and /Qx on Microsoft Windows) control which instructions the compiler uses within a function, while the processor(…) clause controls creation of non-standard functions using wider registers (YMM or ZMM) for passing SIMD data for parameters and results.
Not a GCC option, but compatible with GCC. See our CheckPointer tool, that detects most memory management errors.
There is a significant slowdown in execution; the tool has to track the validity of pointers and allocated storage, and that adds overhead.
78
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
