The specific features enabled are described in the original posting as well as with more detail on the Debian wiki entry for Hardening. They are:
- using -Wformat to catch printf() family calls that do not have a string literal for the format string which can lead to problems if the argument came from an untrusted source and contains format specifiers.
- using -D_FORTIFY_SOURCE_ to validate glibc calls such as strcpy() when the buffer sizes are known at compile time, which can help stop buffer overflow attacks.
- using -fstack-protector to thwart most stack smashing attacks.
- creating Position Independent Executables (PIE) which facilitates using the Address Space Layout Randomization that is available in some kernels. This makes it difficult for an attacker to have any knowledge of what the addresses for the program's sections will look like.
- using ld -z relro to change certain sections to be read-only once ld has made its modifications while loading the program. This can thwart attacks that try to overwrite the Global Offset Table (GOT).
No comments:
Post a Comment