Hardening compiler flags #578
Conversation
Enable more compile-time and run-time protections which are recommended and used by Debian [1] and Red Hat [2] when building their package bases. [1]: https://wiki.debian.org/Hardening [2]: https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/ These are quite old compilation flags, only -fstack-protector-strong is supported since GCC 4.9. We might need to support earlier versions for distros like RHEL and CentOS so replace it with -fstack-protector when unavailable. They are usually even enabled by default, but let's make sure that the compiler uses them. Stack canaries are run-time checks for buffer overflows in local variables which are the main source of ROP attacks. FORTIFY_SOURCE is not enabled by default usually. It replaces various standard library functions (strcpy(), memcpy(), etc.) with their buffer-length-aware alternatives where possible. They will abort the program (or compilation) if they detect an obvious buffer overflow for arrays of statically-known size. Immediate binding and read-only relocations prevent some exploits which may redirect functions imported by Themis somewhere different. They also somewhat limit possible effects of accidental memory corruption. macOS/iOS uses different linker flags for relro (-read_only_relocs) but relocations have to be writeable on some platforms (e.g., ARM64) therefore we limit it to Linux only. Another recommended option is using position-independed executable code but since we're a shared library we already build with -fPIC.
ilammy
added
core
Yep, all these compiler flags are supported by Clang and work on Apple platforms too.
|
|
Sounds awesome, thank you for checking and taking care of our mac users :) |
vixentael
added
the
installation
|
Come to think of it... Cartage and CocoaPods do not use the Makefile, so they have to be adjusted separately. This change currently affects only Homebrew builds of Themis installed into the system. |
|
I've poked around in Xcode and it looks like we can avoid making any changes there. Modern Xcode already highlights buffer-related issues prevented by FORTIFY_SOURCE even without it being specified. Carthage and CocoaPods do not print out warnings so our users (and us) will not see them. If there are any issues we will have to catch them on other platforms and they will be fixed for Carthage/CocoaPods users as well. |
Totally agree. For me, Xcode-based projects are the other world with different rules, and their own caveats :D |
Enable more compile-time and run-time protections which are recommended and used by Debian and Red Hat when building their package bases.
These are quite old compilation flags, only
-fstack-protector-strongis supported since GCC 4.9. We might need to support earlier versions for distros like RHEL and CentOS so replace it with-fstack-protectorwhen unavailable. They are usually even enabled by default, but let’s make sure that the compiler uses them. Stack canaries are run-time checks for buffer overflows in local variables which are the main source of ROP attacks.FORTIFY_SOURCE is not enabled by default usually. It replaces various standard library functions (strcpy(), memcpy(), etc.) with their buffer-length-aware alternatives where possible. They will abort the program (or compilation) if they detect an obvious buffer overflow for arrays of statically-known size.
Immediate binding and read-only relocations prevent some exploits which may redirect functions imported by Themis somewhere different. They also somewhat limit possible effects of accidental memory corruption.
macOS/iOS uses different linker flags for relro (
-read_only_relocs) but relocations have to be writeable on some platforms (e.g., ARM64) therefore we limit it to Linux only.Another recommended option is using position-independent executable code but since we're a shared library we already build with
-fPIC.Checklist
Changelog is updated(maybe later)