«
»

gcc security tips

November 10th, 2008 by webstersprodigy

Here are some flags that may help vulnerable code from being executed.

-D_FORTIFY_SOURCE=2

This should get rid of some buffer overflows that can be analyzed statically and some obvious ones (strcpying input, format string vulnerabilities).

More information can be found here: http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html

-fstack-protector-all

From the man page:

Emit extra code to check for buffer overflows, such as stack smashing attacks.  This is done by adding a guard variable to functions with vulnerable objects.  This includes functions that call alloca, and functions with buffers larger than 8 bytes. The guards are initialized when a function is entered and then checked when the function exits.  If a guard check fails, an error message is printed and the program exits.

(this is enabled by default in recent versions of Ubuntu)

This entry was posted on Monday, November 10th, 2008 at 19:43 and is filed under Bits and Bytes, Security Tools. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

No computers were harmed in the 0.189 seconds it took to produce this page.