Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- -Wall -Wextra
- Turn on all warnings to help ensure the underlying code is secure.
- -Wconversion -Wsign-conversion
- Warn on unsign/sign conversion
- -Wformatsecurity
- Warn about uses of format functions that represent possible security problems
- -Werror
- Turns all warnings into errors.
- -arch x86_64
- Compile for 64-bit to take max advantage of address space (important for ASLR; more virtual address space to chose from when randomising layout).
- -fstack-protector-all -Wstack-protector --param ssp-buffer-size=4
- Your choice of "-fstack-protector" does not protect all functions (see comments). You need -fstack-protector-all to guarantee guards are applied to all functions, although this will likely incur a performance penalty. Consider -fstack-protector-strong as a middle ground.
- The -Wstack-protector flag here gives warnings for any functions that aren't going to get protected.
- -pie -fPIE
- For ASLR
- -ftrapv
- Generates traps for signed overflow (currently bugged in gcc)
- -D_FORTIFY_SOURCE=2 O2
- Buffer overflow checks. See also difference between =2 and =1
- -Wl,-z,relro,-z,now
- RELRO (read-only relocation). The options relro & now specified together are known as "Full RELRO". You can specify "Partial RELRO" by omitting the now flag. RELRO marks various ELF memory sections readonly (E.g. the GOT)
- If compiling on Windows, please Visual Studio instead of GCC, as some protections for Windows (ex. SEHOP) are not part of GCC, but if you must use GCC:
- -Wl,dynamicbase
- Tell linker to use ASLR protection
- -Wl,nxcompat
- Tell linker to use DEP protection
- -->
- -D_FORTIFY_SOURCE=2
- -fstack-protector --param ssp-buffer-size=4
- -fPIE -pie
- -Wl,-z,relro,-z,now (ld -z relro and ld -z now)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement