What set of GCC options provide the best protection against memory corruption vulnerabilities such as Buffer Overflows, and Dangling Pointers? Does GCC provide any type of ROP chain mitigation? Are there performance concerns or other issues that would prevent this GCC option from being on a mission critical application in production?
I am looking at the Debian Hardening Guide as well as GCC Mudflap. Here are the following configurations I am considering:
-D_FORTIFY_SOURCE=2
-fstack-protector --param ssp-buffer-size=4
-fPIE -pie
-Wl,-z,relro,-z,now (ld -z relro and ld -z now)
Are there any improvments that can be made to this set of options? Assume the most recent version of GCC, if you know of any cool upcoming feature, let me know!
Not a GCC option, but compatible with GCC. See our CheckPointer tool, that detects most memory management errors.
There is a significant slowdown in execution; the tool has to track the validity of pointers and allocated storage, and that adds overhead.
This is not a CFLAGSor LDFLAGS answer so maybe not what you're specifically looking for but you should also look into gcc plugins written for hardening purposes. These are used in hardened kernel builds and catch a lot of bad code. You may need need a gcc plugins package for your distribution, apt-cache search gcc | grep plugin or equivalent to find the package name. I believe llvm compiler suite has similar plugins if you're willing to consider using their clang compiler (it's mostly gcc compatible)
来源:https://stackoverflow.com/questions/13544512/what-is-the-most-hardened-set-of-options-for-gcc-compiling-c-c