* Compilation security options for shared libraries and executables (daemon) with G++ 4.9.2
@ 2014-12-07 13:00 Some Developer
2014-12-07 13:21 ` Marc Glisse
2014-12-08 9:58 ` Jonathan Wakely
0 siblings, 2 replies; 4+ messages in thread
From: Some Developer @ 2014-12-07 13:00 UTC (permalink / raw)
To: gcc-help
Hi,
Currently I am compiling my shared library with the following options:
-Wformat=2 -fPIC -fpic -fstack-protector-strong -Wl,-z,relro,-z,now
and my executable (Linux daemon) with these options:
-Wformat=2 -fPIE -pie -fstack-protector-strong -Wl,-z,relro,-z,now
and when I compile in release mode I add:
-D_FORTIFY_SOURCE=2
The question is have I got these options right? The real question is
have I got the -fPIC and -fPIE options the right way round (when
compiling for libraries versus executables)?
Also are there any more options I should be adding to make sure I have
compiled in the best possible buffer overflow protection possible?
This is a network daemon so I kind of need everything that is
available.
Cheers.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Compilation security options for shared libraries and executables (daemon) with G++ 4.9.2
2014-12-07 13:00 Compilation security options for shared libraries and executables (daemon) with G++ 4.9.2 Some Developer
@ 2014-12-07 13:21 ` Marc Glisse
2014-12-07 13:34 ` Some Developer
2014-12-08 9:58 ` Jonathan Wakely
1 sibling, 1 reply; 4+ messages in thread
From: Marc Glisse @ 2014-12-07 13:21 UTC (permalink / raw)
To: Some Developer; +Cc: gcc-help
On Sun, 7 Dec 2014, Some Developer wrote:
> Currently I am compiling my shared library with the following options:
>
> -Wformat=2 -fPIC -fpic -fstack-protector-strong -Wl,-z,relro,-z,now
What documentation did you read that led you to have both -fPIC and -fpic
on the same command line? The man page seems very clear to me.
> and my executable (Linux daemon) with these options:
>
> -Wformat=2 -fPIE -pie -fstack-protector-strong -Wl,-z,relro,-z,now
>
> and when I compile in release mode I add:
>
> -D_FORTIFY_SOURCE=2
>
> The question is have I got these options right? The real question is
> have I got the -fPIC and -fPIE options the right way round (when
> compiling for libraries versus executables)?
>
> Also are there any more options I should be adding to make sure I have
> compiled in the best possible buffer overflow protection possible?
> This is a network daemon so I kind of need everything that is
> available.
You could look at -fsanitize=address maybe? (not a recommendation, just a
pointer)
--
Marc Glisse
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Compilation security options for shared libraries and executables (daemon) with G++ 4.9.2
2014-12-07 13:21 ` Marc Glisse
@ 2014-12-07 13:34 ` Some Developer
0 siblings, 0 replies; 4+ messages in thread
From: Some Developer @ 2014-12-07 13:34 UTC (permalink / raw)
To: gcc-help
On 07/12/14 13:21, Marc Glisse wrote:
> On Sun, 7 Dec 2014, Some Developer wrote:
>
>> Currently I am compiling my shared library with the following options:
>>
>> -Wformat=2 -fPIC -fpic -fstack-protector-strong -Wl,-z,relro,-z,now
>
> What documentation did you read that led you to have both -fPIC and
> -fpic on the same command line? The man page seems very clear to me.
>
Ah I guess I misread that section of info page. I'll remove the extra
command line option in both sets of compilation flag.
>> and my executable (Linux daemon) with these options:
>>
>> -Wformat=2 -fPIE -pie -fstack-protector-strong -Wl,-z,relro,-z,now
>>
>> and when I compile in release mode I add:
>>
>> -D_FORTIFY_SOURCE=2
>>
>> The question is have I got these options right? The real question is
>> have I got the -fPIC and -fPIE options the right way round (when
>> compiling for libraries versus executables)?
>>
>> Also are there any more options I should be adding to make sure I have
>> compiled in the best possible buffer overflow protection possible?
>> This is a network daemon so I kind of need everything that is
>> available.
>
> You could look at -fsanitize=address maybe? (not a recommendation, just
> a pointer)
>
Cool, I'll check the info page for that.
Thanks.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Compilation security options for shared libraries and executables (daemon) with G++ 4.9.2
2014-12-07 13:00 Compilation security options for shared libraries and executables (daemon) with G++ 4.9.2 Some Developer
2014-12-07 13:21 ` Marc Glisse
@ 2014-12-08 9:58 ` Jonathan Wakely
1 sibling, 0 replies; 4+ messages in thread
From: Jonathan Wakely @ 2014-12-08 9:58 UTC (permalink / raw)
To: Some Developer; +Cc: gcc-help
On 7 December 2014 at 12:59, Some Developer wrote:
> This is a network daemon so I kind of need everything that is
> available.
You could try the -fvtable-verify=std option for adding verification
code to check vtable pointers aren't overwritten, although you need to
reconfigure and rebuild GCC yourself.
https://gcc.gnu.org/wiki/vtv
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-12-08 9:58 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-12-07 13:00 Compilation security options for shared libraries and executables (daemon) with G++ 4.9.2 Some Developer
2014-12-07 13:21 ` Marc Glisse
2014-12-07 13:34 ` Some Developer
2014-12-08 9:58 ` Jonathan Wakely
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).