gcc security tips
November 10, 2008 Leave a comment
Here are some flags that may help vulnerable code from being executed.
This should get rid of some buffer overflows that can be analyzed statically and some obvious ones (strcpying input, format string vulnerabilities).
More information can be found here: http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
From the man page:
Emit extra code to check for buffer overflows, such as stack smashing attacks. This is done by adding a guard variable to functions with vulnerable objects. This includes functions that call alloca, and functions with buffers larger than 8 bytes. The guards are initialized when a function is entered and then checked when the function exits. If a guard check fails, an error message is printed and the program exits.
(this is enabled by default in recent versions of Ubuntu)