Getting the maximum of your C compiler, for security
source link: https://airbus-seclab.github.io/c-compiler-security/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Getting the maximum of your C compiler, for security
Introduction
This guide is intended to help you determine which flags you should use to compile your C Code using GCC, Clang or MSVC, in order to:
- detect the maximum number of bugs or potential security problems.
- enable security mitigations in the produced binaries.
- enable runtime sanitizers to detect errors (overflows, race conditions, etc.) and make fuzzing more efficient.
Disclaimer:
The flags selected and recommended here were chosen to maximize the number of
classes of detected errors which could have a security benefit when enabled.
Code generation options (such as -fstack-protector-strong) can also have
performance impacts. It is up to you to assess the impact on your code base
and choose the right set of command line options.
Comments are of course welcome.
GCC TL;DR
Always use the following warnings and flags on the command line:
-O2
-Werror
-Wall -Wextra -Wpedantic -Wformat=2 -Wformat-overflow=2 -Wformat-truncation=2 -Wformat-security -Wnull-dereference -Wstack-protector -Wtrampolines -Walloca -Wvla -Warray-bounds=2 -Wimplicit-fallthrough=3 -Wtraditional-conversion -Wshift-overflow=2 -Wcast-qual -Wstringop-overflow=4 -Wconversion -Warith-conversion -Wlogical-op -Wduplicated-cond -Wduplicated-branches -Wformat-signedness -Wshadow -Wstrict-overflow=4 -Wundef -Wstrict-prototypes -Wswitch-default -Wswitch-enum -Wstack-usage=1000000 -Wcast-align=strict
-D_FORTIFY_SOURCE=2
-fstack-protector-strong -fstack-clash-protection -fPIE
-Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,-z,separate-code
On legacy code bases, some of the warnings may produce some false positives. On code where the behavior is intended, pragmas can be used to disable the specific warning locally.
Run debug/test builds with sanitizers (in addition to the flags above): AddressSanitizer + UndefinedBehaviorSanitizer:
-fsanitize=address -fsanitize=pointer-compare -fsanitize=pointer-subtract -fsanitize=leak -fno-omit-frame-pointer -fsanitize=undefined -fsanitize=bounds-strict -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow
export ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1:detect_invalid_pointer_pairs=2
If your program is multi-threaded, run with -fsanitize=thread (incompatible with ASan).
Finally, use -fanalyzer to spot potential issues.
Clang TL;DR
First compile with:
-O2
-Werror
-Walloca -Wcast-qual -Wconversion -Wformat=2 -Wformat-security -Wnull-dereference -Wstack-protector -Wstrict-overflow=3 -Wvla -Warray-bounds -Warray-bounds-pointer-arithmetic -Wassign-enum -Wbad-function-cast -Wconditional-uninitialized -Wconversion -Wfloat-equal -Wformat-type-confusion -Widiomatic-parentheses -Wimplicit-fallthrough -Wloop-analysis -Wpointer-arith -Wshift-sign-overflow -Wshorten-64-to-32 -Wswitch-enum -Wtautological-constant-in-range-compare -Wunreachable-code-aggressive
-D_FORTIFY_SOURCE=2
-fstack-protector-strong -fsanitize=safe-stack -fPIE -fstack-clash-protection
-Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,-z,separate-code
On legacy code bases, some of the warnings may produce some false positives. On code where the behavior is intended, pragmas can be used to disable the specific warning locally.
Run debug/test builds with sanitizers (in addition to the flags above):
AddressSanitizer + UndefinedBehaviorSanitizer:
-fsanitize=address -fsanitize=leak -fno-omit-frame-pointer -fsanitize=undefined -fsanitize=bounds-strict -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fsanitize=integer -fsanitize-no-recover
export ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1:detect_invalid_pointer_pairs=2
If your program is multi-threaded, run with -fsanitize=thread (incompatible with ASan).
Finally, use scan-build to spot potential issues.
In addition, you can build production code with -fsanitize=integer -fsanitize-minimal-runtime -fsanitize-no-recover to catch integer overflows.
Microsoft Visual Studio 2019 TL;DR
- Compile with
/Wall /sdl /guard:cf /guard:ehcont /CETCOMPAT - Use ASan with
/fsanitize=address - Analyze your code with
/fanalyze
- Check https://github.com/pkolbus/compiler-warnings to see which compiler version supports a given flag
- Use the Compiler explorer to experiment and check the impact on machine code produced
- If you have a doubt about the actual semantics of a flag, check the tests (for Clang, GCC)
- Use checksec.py to verify your binaries have mitigations
References
Written by Raphaël Rigo and reviewed by Sarah Zennou @ Airbus Security lab, 2021.
Contributing
Please open an issue if you notice any error, imprecision or have comments or improvements ideas.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Recommend
-
51
Key Takeaways Java's C2 JIT compiler is end-of-life The new JVMCI compiler interface allows new compilers to be plugged in Oracle have developed Graal, a JIT writt...
-
67
Software defines what moves us. From mobility apps and real-time maps to increasingly automated vehicles, lines of code have become fundamental to the world of transportation. As this software becomes more comple...
-
27
A key theme of the Rust 2019 roadmap is maturity . This covers a variety of topics, but a crucial one is compile times. For example, the
-
3
Welcome My name is Jesse, and this is an introductory Rust tutorial for developers who like learning by doing. The purpose of this tutorial is to develop intuition about toolbuilding in Rust–specifical...
-
12
ValueDeFi Integrating Chainlink Price Feeds to Ensure Maximum Security for Relaunch of MultiStables Vault
-
12
iWork 11 gives you maximum control of how your docs lookNews
-
7
How to Set Up Your Windows PC for Maximum Productivity By Lando Loic Published 1 day ago If you find yourself struggling to work on...
-
8
Optimizing Your Data Management Strategy for a Maximum ROI From Your Cloud Investment
-
12
Elevate your MacBook or iPad with this affordable stand for maximum comfort
-
6
Are you wondering how much you should spend on your Facebook and Instagram ads? Setting your ad budget can mean different t...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK