| 1 |
Ryan Hill <dirtyepic@g.o> wrote: |
| 2 |
> |
| 3 |
> * -fstack-protector{-all} |
| 4 |
> No thank you. -fstack-protector has very limited coverage |
| 5 |
|
| 6 |
I'd say it covers most cases where bugs can be made, |
| 7 |
practically without a severe impact on execution time or code size. |
| 8 |
In contrast, -fstack-protector-all should be left to hardened, since |
| 9 |
its impact is unacceptable to e.g. multimedia systems - the |
| 10 |
protection is probably over-the-top for normal users. |
| 11 |
I'd vote for enabling -fstack-protector by default: |
| 12 |
I am using it since many years (though I do not use hardened profile, |
| 13 |
since -fstack-protector-all had too much a performance impact for me). |
| 14 |
|
| 15 |
> -fstack-protector-strong |
| 16 |
|
| 17 |
One can later still change to this when >=gcc-4.9 is available in stable. |
| 18 |
|
| 19 |
> * -Wl,-z,relro |
| 20 |
> Enabled by default since binutils 2.18 |
| 21 |
|
| 22 |
This gives its real impact on secutiry only when combined with |
| 23 |
|
| 24 |
* -Wl,-z,now |
| 25 |
|
| 26 |
The latter is not enabled by default AFAIK. |
| 27 |
The latter can slightly decrease load times, but repeated starting is |
| 28 |
usually even faster with it. Thus, performance impact is somewhat |
| 29 |
balanced, but it increases security slightly (though it would need |
| 30 |
a good expert to exploit the problems when it is not used). |
| 31 |
I am strongly suggesting to use -Wl,-z,now (and filter it on some |
| 32 |
packages which won't work with it like xorg drivers). |
| 33 |
I am also using this flag for many years (filtering certain packages; |
| 34 |
if desired, I can post a list). |
| 35 |
|
| 36 |
I would like to suggest also another flag |
| 37 |
|
| 38 |
* -Wl,-z,noexecstack |
| 39 |
|
| 40 |
This should be the default, but e.g. some broken gcc versions |
| 41 |
forgot this default when using -flto. |
| 42 |
I am using this flag since I realized this -flto bug and never |
| 43 |
had any problems with it. |
| 44 |
|
| 45 |
> * -Wl,--hash-style=3D{both,gnu} |
| 46 |
|
| 47 |
I don't know what this has to do with security. |
| 48 |
However, isn't it time to use "gnu" now for all users? Except for |
| 49 |
very strange binary-only code it should not cause any problems. |
| 50 |
The majority of users would not realize a difference but profit |
| 51 |
from smaller binaries. |
| 52 |
|
| 53 |
> * -Wl,--as-needed |
| 54 |
|
| 55 |
The impact on security is at most rather implicit, if at all. |
Archives