Tool Make use of exploit mitigations
Prevent security issues from being exploited.
C and C++ are a dangerous choice for creating network facing software (or software that is processing inputs provided by third party) as they don't enforce memory safety. Simple but hard to catch programming errors can enable an attacker to take control of your application by injecting their own code. Modern toolchains are offering code generation techniques that do not prevent the problem in the first place, but they (hopefully) prevent it from being exploited.
C and C++
All, but the number and quality of mitigations offered will differ between toolchains, OS versions and CPU architectures.
All software which deals with untrusty third party inputs.
- Try to enable these flags early on as there might be side effects which are easier to track down outside of a release window...
- Mitigations make it harder (sometimes a lot) to exploit a given bug, but they are no 100% protection. Also make sure that OS-level mitigations are also enabled.
- Some mitigation have a performance impact.
-D_FORTIFY_SOURCE=2 -Wl,-z,relro,-z,now -fstack-protector-strong -pie -fPIE -Wformat -Wformat-security
These options only provide a baseline, please have a look at the toolchain documentation for details and more mitigations.
For Embedded-Linux scenarios it might be better to globally enable these flags globally during firmware generation.
17/02/2020 10:33:19 - Improve the security tool a bit (Frank Meerkötter)
14/02/2020 14:08:33 - Give all tools a number prefix to allow for sorting The number prefix is the same as the card number. (Frank Meerkötter)