Compilation security options for shared libraries and executables (daemon) with G++ 4.9.2

Compilation security options for shared libraries and executables (daemon) with G++ 4.9.2

[Some Developer]

Hi,

Currently I am compiling my shared library with the following options:

-Wformat=2 -fPIC -fpic -fstack-protector-strong -Wl,-z,relro,-z,now

and my executable (Linux daemon) with these options:

-Wformat=2 -fPIE -pie -fstack-protector-strong -Wl,-z,relro,-z,now

and when I compile in release mode I add:

-D_FORTIFY_SOURCE=2

The question is have I got these options right? The real question is
have I got the -fPIC and -fPIE options the right way round (when
compiling for libraries versus executables)?

Also are there any more options I should be adding to make sure I have
compiled in the best possible buffer overflow protection possible?
This is a network daemon so I kind of need everything that is
available.

Cheers.

Re: Compilation security options for shared libraries and executables (daemon) with G++ 4.9.2

[Marc Glisse]

On Sun, 7 Dec 2014, Some Developer wrote:

> Currently I am compiling my shared library with the following options:
>
> -Wformat=2 -fPIC -fpic -fstack-protector-strong -Wl,-z,relro,-z,now

What documentation did you read that led you to have both -fPIC and -fpic 
on the same command line? The man page seems very clear to me.

> and my executable (Linux daemon) with these options:
>
> -Wformat=2 -fPIE -pie -fstack-protector-strong -Wl,-z,relro,-z,now
>
> and when I compile in release mode I add:
>
> -D_FORTIFY_SOURCE=2
>
> The question is have I got these options right? The real question is
> have I got the -fPIC and -fPIE options the right way round (when
> compiling for libraries versus executables)?
>
> Also are there any more options I should be adding to make sure I have
> compiled in the best possible buffer overflow protection possible?
> This is a network daemon so I kind of need everything that is
> available.

You could look at -fsanitize=address maybe? (not a recommendation, just a 
pointer)

-- 
Marc Glisse

Re: Compilation security options for shared libraries and executables (daemon) with G++ 4.9.2

[Some Developer]

On 07/12/14 13:21, Marc Glisse wrote:
> On Sun, 7 Dec 2014, Some Developer wrote:
>
>> Currently I am compiling my shared library with the following options:
>>
>> -Wformat=2 -fPIC -fpic -fstack-protector-strong -Wl,-z,relro,-z,now
>
> What documentation did you read that led you to have both -fPIC and
> -fpic on the same command line? The man page seems very clear to me.
>

Ah I guess I misread that section of info page. I'll remove the extra 
command line option in both sets of compilation flag.

>> and my executable (Linux daemon) with these options:
>>
>> -Wformat=2 -fPIE -pie -fstack-protector-strong -Wl,-z,relro,-z,now
>>
>> and when I compile in release mode I add:
>>
>> -D_FORTIFY_SOURCE=2
>>
>> The question is have I got these options right? The real question is
>> have I got the -fPIC and -fPIE options the right way round (when
>> compiling for libraries versus executables)?
>>
>> Also are there any more options I should be adding to make sure I have
>> compiled in the best possible buffer overflow protection possible?
>> This is a network daemon so I kind of need everything that is
>> available.
>
> You could look at -fsanitize=address maybe? (not a recommendation, just
> a pointer)
>

Cool, I'll check the info page for that.

Thanks.

Re: Compilation security options for shared libraries and executables (daemon) with G++ 4.9.2

[Jonathan Wakely]

On 7 December 2014 at 12:59, Some Developer wrote:
> This is a network daemon so I kind of need everything that is
> available.

You could try the -fvtable-verify=std option for adding verification
code to check vtable pointers aren't overwritten, although you need to
reconfigure and rebuild GCC yourself.

https://gcc.gnu.org/wiki/vtv