Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add binary hardening compile and link flags #4603

Merged
merged 4 commits into from
Jul 3, 2023

Conversation

thejohnfreeman
Copy link
Collaborator

Add full RELRO and stack canary when compiling with GCC or Clang.

@nbougalis
Copy link
Contributor

Awesome! Thanks for adding this, @thejohnfreeman! I wanted to add this for a really long time.

@seelabs seelabs self-assigned this Jun 30, 2023
@seelabs seelabs added the Ready to merge *PR author* thinks it's ready to merge. Has passed code review. Perf sign-off may still be required. label Jun 30, 2023
@intelliot
Copy link
Collaborator

Suggested commit message:

build: add binary hardening compile and link flags (#4603)

Enhance security during the build process:

* The '-fstack-protector' flag enables stack protection for preventing
  buffer overflow vulnerabilities. If an attempt is made to overflow the
  buffer, the program will terminate, thus protecting the integrity of
  the stack.
* The '-Wl,-z,relro,-z,now' linker flag enables Read-only Relocations
  (RELRO), a feature that helps harden the binary against certain types
  of exploits, particularly those that involve overwriting the Global
  Offset Table (GOT).
  * This flag is only set for Linux builds, due to compatibility issues
    with apple-clang.
  * The `relro` option makes certain sections of memory read-only after
    initialization to prevent them from being overwritten, while `now`
    ensures that all dynamic symbols are resolved immediately on program
    start, reducing the window of opportunity for attacks.

@intelliot
Copy link
Collaborator

intelliot commented Jul 1, 2023

@thejohnfreeman can you bring this up-to-date with develop?

I don't have permission to apply a merge commit to your branch.

(This can wait for Monday, of course)

Copy link
Contributor

@a-noni-mousse a-noni-mousse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a grand change!

@intelliot intelliot merged commit 66bfe90 into XRPLF:develop Jul 3, 2023
@thejohnfreeman thejohnfreeman deleted the cflags branch July 3, 2023 14:54
ckeshava pushed a commit to ckeshava/rippled that referenced this pull request Jul 10, 2023
Enhance security during the build process:

* The '-fstack-protector' flag enables stack protection for preventing
  buffer overflow vulnerabilities. If an attempt is made to overflow the
  buffer, the program will terminate, thus protecting the integrity of
  the stack.
* The '-Wl,-z,relro,-z,now' linker flag enables Read-only Relocations
  (RELRO), a feature that helps harden the binary against certain types
  of exploits, particularly those that involve overwriting the Global
  Offset Table (GOT).
  * This flag is only set for Linux builds, due to compatibility issues
    with apple-clang.
  * The `relro` option makes certain sections of memory read-only after
    initialization to prevent them from being overwritten, while `now`
    ensures that all dynamic symbols are resolved immediately on program
    start, reducing the window of opportunity for attacks.
ckeshava pushed a commit to ckeshava/rippled that referenced this pull request Sep 22, 2023
Enhance security during the build process:

* The '-fstack-protector' flag enables stack protection for preventing
  buffer overflow vulnerabilities. If an attempt is made to overflow the
  buffer, the program will terminate, thus protecting the integrity of
  the stack.
* The '-Wl,-z,relro,-z,now' linker flag enables Read-only Relocations
  (RELRO), a feature that helps harden the binary against certain types
  of exploits, particularly those that involve overwriting the Global
  Offset Table (GOT).
  * This flag is only set for Linux builds, due to compatibility issues
    with apple-clang.
  * The `relro` option makes certain sections of memory read-only after
    initialization to prevent them from being overwritten, while `now`
    ensures that all dynamic symbols are resolved immediately on program
    start, reducing the window of opportunity for attacks.
ckeshava pushed a commit to ckeshava/rippled that referenced this pull request Sep 25, 2023
Enhance security during the build process:

* The '-fstack-protector' flag enables stack protection for preventing
  buffer overflow vulnerabilities. If an attempt is made to overflow the
  buffer, the program will terminate, thus protecting the integrity of
  the stack.
* The '-Wl,-z,relro,-z,now' linker flag enables Read-only Relocations
  (RELRO), a feature that helps harden the binary against certain types
  of exploits, particularly those that involve overwriting the Global
  Offset Table (GOT).
  * This flag is only set for Linux builds, due to compatibility issues
    with apple-clang.
  * The `relro` option makes certain sections of memory read-only after
    initialization to prevent them from being overwritten, while `now`
    ensures that all dynamic symbols are resolved immediately on program
    start, reducing the window of opportunity for attacks.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Ready to merge *PR author* thinks it's ready to merge. Has passed code review. Perf sign-off may still be required.
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

5 participants