Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 17 Nov 2024 16:30:34 +0100
From:      Alexander Leidinger <Alexander@Leidinger.net>
To:        Current FreeBSD <freebsd-current@freebsd.org>
Subject:   Playing around with security hardening compiler flags
Message-ID:  <01a4b49d43860c30e480ec7cf5bd08f9@Leidinger.net>
index | next in thread | raw e-mail 

[-- Attachment #1 --]
Hi,

after reading
     
https://security.googleblog.com/2024/11/retrofitting-spatial-safety-to-hundreds.html
     https://libcxx.llvm.org/Hardening.html
     
https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
I played around a bit with some of the flags there (in CFLAGS).

What doesn't work:
  - -fstrict-flex-arrays=3   (variable array issue in IIRC a tool for 
ath)
  - -fstrict-flex-arrays=2   (issue in another area, haven't checked 
further)

What works and results in a world+kernel which is able to boot:
  - -D_GLIBCXX_ASSERTIONS
  - -fstrict-flex-arrays=1
  - -fstack-clash-protection
  - -D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_EXTENSIVE

Does someone has any reason / argument why some of those shouldn't be 
used when building FreeBSD?
Should something like this be optional, and if yes, enabled by default, 
or disabled by default?

Bye,
Alexander.

-- 
http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild@FreeBSD.org  : PGP 0x8F31830F9F2772BF

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmc6DCoACgkQEg2wmwP4
2IbwtRAAjL1lgKhYzKCNy/bYE4V/PcncUtziZexqmrldPRDHBnsWsCuyRBJQZpgq
Gcc9JkER8io9XsckV65zZh83X2uL7Zit2XvaYPvjyUmzjFrZkp268uhp3H2fSgsK
njcgEh4HIEXgMxtUrPbun+jhHi/FjLmua0hALx4YDcxb/EGfTBNTlZT/PHi9DcXT
2REz6OVKBDXA4dsHVdqvZ/S5f9OvoP6/PucgYYpvaD5g1WWuKR0fdx73Bs72bFzt
G8QrQSPn4rqBeI6zGVZKiGirdSNa9iS3RZUDndSXiK14y5uJpVuOvJu3pMtH4wdA
DRX4s1eo6lZKvVA7NWjc62wMO2tPZ6Ye7M4G+wmbvKVazZxQrB3y3BlPV1H4G38x
M2b0nEgEBKKuG0t3AScYbgpNN5gIWavhoQFINllKdyPxD45et+V2aDHRI/nfV868
0oskfwH3i+omznkOkw3vVR4eMJnHAxxgIwD1rwlYdD/gXVkT/IaOMGbqUcjEyOpx
6mG7FUnNxLYOq4LDoI/eS3vnoRlv1CrLXtsR0n6akvHMabiY+jFnb6EJyibdXejI
WRqjRN0MySMTg0Jy5Bmh+xpEaD8H3daDEewycLmgTKnXzGhA9UCuZASVhqtd9rJ7
HrjHZkQ56+5XHtRjYSUTj+VZ5w2z4txG5s9Icn95j42FEnc4qG8=
=1sRY
-----END PGP SIGNATURE-----
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01a4b49d43860c30e480ec7cf5bd08f9>