- cross-posted to:
- cpp@lemmy.ml
- cross-posted to:
- cpp@lemmy.ml
There is a discussion on Hacker News, but feel free to comment here as well.
This is the best summary I could come up with:
Following discussions among compiler developers and other stakeholders, the GNU Compiler Collection (GCC) is preparing to add a “-fhardened” compiler option that will enable various hardening features aimed at increasing the security/robustness of the generated binaries.
Since last month has been a discussion over adding a generic “hardening” option to improve the security of generated binaries via various hardening options that are already available but may not be in use by all projects – either for not knowing about them, the software not being actively well maintained, or similar factors.
The options considered reasonable for this hardening option cannot impact the application binary interface (ABI), cannot cause “severe” performance issues, and can’t cause new build errors.
In a patch now seeking to be merged to GCC 14 Git in the coming days by Red Hat’s Marek Polacek, the initial -fhardened options include: -D_FORTIFY_SOURCE=3 (or =2 for older glibcs)
-ftrivial-auto-var-init=pattern -fPIE -pie -Wl,-z,relro,-z,now -fstack-protector-strong -fstack-clash-protection -fcf-protection=full (x86 GNU/Linux only) Thus the sole “-fhardened” option enables position independent executables, fortify sources, stack protections, control flow protections, and other common recommended options that are suitable for enabling relatively broadly.
Barring any last minute objections, this -fhardened patch will be merged soon for introduction in the GCC 14.1 stable release due out early next year.
The original article contains 241 words, the summary contains 211 words. Saved 12%. I’m a bot and I’m open source!