06 – Enable security hardening flags

Table of Contents

Tool Make use of exploit mitigations

Goals

Prevent security issues from being exploited.

Description

C and C++ are a dangerous choice for creating network facing software (or software that is processing inputs provided by third party) as they don't enforce memory safety. Simple but hard to catch programming errors can enable an attacker to take control of your application by injecting their own code. Modern toolchains are offering code generation techniques that do not prevent the problem in the first place, but they (hopefully) prevent it from being exploited.

Environment

C and C++

Platform

All, but the number and quality of mitigations offered will differ between toolchains, OS versions and CPU architectures.

Implementation effort

Low

Applicability

All software which deals with untrusty third party inputs.

Caveats

  • Try to enable these flags early on as there might be side effects which are easier to track down outside of a release window...
  • Mitigations make it harder (sometimes a lot) to exploit a given bug, but they are no 100% protection. Also make sure that OS-level mitigations are also enabled.
  • Some mitigation have a performance impact.

See also

-

Implementation hints

GCC/Clang:

    -D_FORTIFY_SOURCE=2

    -Wl,-z,relro,-z,now

    -fstack-protector-strong

    -pie -fPIE

    -Wformat­ -Wformat­-security

Visual Studio:

    /GS
    /guard:cf

These options only provide a baseline, please have a look at the toolchain documentation for details and more mitigations.

For Embedded-Linux scenarios it might be better to globally enable these flags globally during firmware generation.


Post history - Last 5 commits

17/02/2020 10:33:19 - Improve the security tool a bit (Frank Meerkötter)

14/02/2020 14:08:33 - Give all tools a number prefix to allow for sorting The number prefix is the same as the card number. (Frank Meerkötter)

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on xing
Share on email
Share on stumbleupon
Share on whatsapp
Share on pocket