Date: Sun, 17 Nov 2024 16:30:34 +0100 From: Alexander Leidinger <Alexander@Leidinger.net> To: Current FreeBSD <freebsd-current@freebsd.org> Subject: Playing around with security hardening compiler flags Message-ID: <01a4b49d43860c30e480ec7cf5bd08f9@Leidinger.net>
next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--=_8a2c56e7a664655d96511974de246ef1
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII;
format=flowed
Hi,
after reading
https://security.googleblog.com/2024/11/retrofitting-spatial-safety-to-hundreds.html
https://libcxx.llvm.org/Hardening.html
https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
I played around a bit with some of the flags there (in CFLAGS).
What doesn't work:
- -fstrict-flex-arrays=3 (variable array issue in IIRC a tool for
ath)
- -fstrict-flex-arrays=2 (issue in another area, haven't checked
further)
What works and results in a world+kernel which is able to boot:
- -D_GLIBCXX_ASSERTIONS
- -fstrict-flex-arrays=1
- -fstack-clash-protection
- -D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_EXTENSIVE
Does someone has any reason / argument why some of those shouldn't be
used when building FreeBSD?
Should something like this be optional, and if yes, enabled by default,
or disabled by default?
Bye,
Alexander.
--
http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF
--=_8a2c56e7a664655d96511974de246ef1
Content-Type: application/pgp-signature;
name=signature.asc
Content-Disposition: attachment;
filename=signature.asc;
size=833
Content-Description: OpenPGP digital signature
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmc6DCoACgkQEg2wmwP4
2IbwtRAAjL1lgKhYzKCNy/bYE4V/PcncUtziZexqmrldPRDHBnsWsCuyRBJQZpgq
Gcc9JkER8io9XsckV65zZh83X2uL7Zit2XvaYPvjyUmzjFrZkp268uhp3H2fSgsK
njcgEh4HIEXgMxtUrPbun+jhHi/FjLmua0hALx4YDcxb/EGfTBNTlZT/PHi9DcXT
2REz6OVKBDXA4dsHVdqvZ/S5f9OvoP6/PucgYYpvaD5g1WWuKR0fdx73Bs72bFzt
G8QrQSPn4rqBeI6zGVZKiGirdSNa9iS3RZUDndSXiK14y5uJpVuOvJu3pMtH4wdA
DRX4s1eo6lZKvVA7NWjc62wMO2tPZ6Ye7M4G+wmbvKVazZxQrB3y3BlPV1H4G38x
M2b0nEgEBKKuG0t3AScYbgpNN5gIWavhoQFINllKdyPxD45et+V2aDHRI/nfV868
0oskfwH3i+omznkOkw3vVR4eMJnHAxxgIwD1rwlYdD/gXVkT/IaOMGbqUcjEyOpx
6mG7FUnNxLYOq4LDoI/eS3vnoRlv1CrLXtsR0n6akvHMabiY+jFnb6EJyibdXejI
WRqjRN0MySMTg0Jy5Bmh+xpEaD8H3daDEewycLmgTKnXzGhA9UCuZASVhqtd9rJ7
HrjHZkQ56+5XHtRjYSUTj+VZ5w2z4txG5s9Icn95j42FEnc4qG8=
=1sRY
-----END PGP SIGNATURE-----
--=_8a2c56e7a664655d96511974de246ef1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01a4b49d43860c30e480ec7cf5bd08f9>