Playing around with security hardening compiler flags
- Reply: Dimitry Andric : "Re: Playing around with security hardening compiler flags"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 17 Nov 2024 15:30:34 UTC
Hi, after reading https://security.googleblog.com/2024/11/retrofitting-spatial-safety-to-hundreds.html https://libcxx.llvm.org/Hardening.html https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html I played around a bit with some of the flags there (in CFLAGS). What doesn't work: - -fstrict-flex-arrays=3 (variable array issue in IIRC a tool for ath) - -fstrict-flex-arrays=2 (issue in another area, haven't checked further) What works and results in a world+kernel which is able to boot: - -D_GLIBCXX_ASSERTIONS - -fstrict-flex-arrays=1 - -fstack-clash-protection - -D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_EXTENSIVE Does someone has any reason / argument why some of those shouldn't be used when building FreeBSD? Should something like this be optional, and if yes, enabled by default, or disabled by default? Bye, Alexander. -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF