basysKom Toolbox

06 – Enable security hardening flags

Make use of exploit mitigations

Goals

Prevent security issues from being exploited.

Description

C and C++ are a dangerous choice for creating network facing software (or software that is processing inputs provided by third party) as they don’t enforce memory safety. Simple but hard to catch programming errors can enable an attacker to take control of your application by injecting their own code. Modern toolchains are offering code generation techniques that do not prevent the problem in the first place, but they (hopefully) prevent it from being exploited.

Environment

C and C++

Platform

All, but the number and quality of mitigations offered will differ between toolchains, OS versions and CPU architectures.

Implementation effort

Low

Applicability

All software which deals with untrusty third party inputs.

Caveats

  • Try to enable these flags early on as there might be side effects which are easier to track down outside of a release window…
  • Mitigations make it harder (sometimes a lot) to exploit a given bug, but they are no 100% protection. Also make sure that OS-level mitigations are also enabled.
  • Some mitigation have a performance impact.

See also

Implementation hints

GCC/Clang:

    -D_FORTIFY_SOURCE=2

    -Wl,-z,relro,-z,now

    -fstack-protector-strong

    -pie -fPIE

    -Wformat­ -Wformat­-security

Visual Studio:

    /GS
    /guard:cf

These options only provide a baseline, please have a look at the toolchain documentation for details and more mitigations.

For Embedded-Linux scenarios it might be better to globally enable these flags globally during firmware generation.

About the Toolbox

The basysKom Toolbox is a state-of-the-art collection of best practices in agile management and software development and a valuable tool for every kickoff meeting.

These cards can be used during a project kickoff in order to select best fitting good practices from the very start of your project, but also as a reminder during the course of a project implementation. Every card holds a QR code with additional information related to the specific tool, the tools’ applicability, known constraints and additional tips on how to implement it in a project setup.

You can provide us feedback on GitHub.

Toolbox

basysKom Newsletter

We collect only the data you enter in this form (no IP address or information that can be derived from it). The collected data is only used in order to send you our regular newsletters, from which you can unsubscribe at any point using the link at the bottom of each newsletter. We will retain this information until you ask us to delete it permanently. For more information about our privacy policy, read Privacy Policy