gcc security tips

Here are some flags that may help vulnerable code from being executed.

-D_FORTIFY_SOURCE=2

This should get rid of some buffer overflows that can be analyzed statically and some obvious ones (strcpying input, format string vulnerabilities).

More information can be found here: http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html

-fstack-protector-all

From the man page:

Emit extra code to check for buffer overflows, such as stack smashing attacks.  This is done by adding a guard variable to functions with vulnerable objects.  This includes functions that call alloca, and functions with buffers larger than 8 bytes. The guards are initialized when a function is entered and then checked when the function exits.  If a guard check fails, an error message is printed and the program exits.

(this is enabled by default in recent versions of Ubuntu)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s