[PATCH] Security hardening compiler and linker flags
David Jorm
djorm at corp.iixpeering.net
Fri Feb 27 05:23:37 CET 2015
Hi All
The attached patch adds security hardening compiler and linker flags.
These flags are only applied if --enable-secflags is on, and I've made
--enable-secflags on by default. I totally understand if the maintainers
may prefer for it to be off by default, at least initially.
Here is a brief explanation/justification of each of the flags added by
this patch.
Compiler flags:
-Wformat -Wformat-security -Werror=format-security: Protection against
format string vulnerabilities at compile time, no impact to the compiled
binaries.
-fPIE: Build position independent executable (PIE) binaries. Enables a
form of address space layout randomization (ASLR), which makes
exploitation of memory corruption vulnerabilities significantly more
difficult. This does incur a small performance cost, but this is minimal
and I believe an acceptable price to pay for the protection PIE
provides. For more details on the performance cost, see [0].
-fstack-protector-strong: Stack-smashing protection at runtime,
thwarting many buffer overflow exploits. This does incur a small
performance cost. -fstack-protector-strong is designed to incur a
minimal performance cost, compared to the more comprehensive
-fstack-protector-all.
-D_FORTIFY_SOURCE=2: Protection against static sized buffer overflows at
compile time, no impact to compiled binaries.
Linker flags:
-fPIE -pie: To enable PIE as noted above.
-Wl,-z,relro: Prevents some memory corruption exploits that overwrite
the global offset table (GOT). For more details see [1].
-Wl,-z,now: Part of GOT overwrite protection. Can incur an extremely
minimal performance hit at startup time as symbols are resolved.
-Wl,-z,noexecstack: Prevents some memory corruption exploits by marking
the stack as non-executable.
Not all of these flags are available on some architectures and
processors, but they should be automatically omitted from the configure
script if not supported.
Thanks
David
[0]
https://securityblog.redhat.com/2012/12/12/position-independent-executable-pie-performance/
[1] https://isisblogs.poly.edu/2011/06/01/relro-relocation-read-only/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Added-security-hardening-compiler-and-linker-flags.patch
Type: text/x-patch
Size: 2150 bytes
Desc: not available
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20150227/5e15fe47/attachment.bin>
More information about the Bird-users
mailing list