GCC Preparing To Introduce "-fhardened" Security Hardening Option

Written by Michael Larabel in GNU on 15 September 2023 at 05:00 PM EDT. 22 Comments
GNU
Following discussions among compiler developers and other stakeholders, the GNU Compiler Collection (GCC) is preparing to add a "-fhardened" compiler option that will enable various hardening features aimed at increasing the security/robustness of the generated binaries.

Since last month has been a discussion over adding a generic "hardening" option to improve the security of generated binaries via various hardening options that are already available but may not be in use by all projects -- either for not knowing about them, the software not being actively well maintained, or similar factors. So this "-fhardening" option would be an easy way to enable various security hardening options without users/developers having to keep track of the actively growing list of "reasonable" options.

The options considered reasonable for this hardening option cannot impact the application binary interface (ABI), cannot cause "severe" performance issues, and can't cause new build errors.

In a patch now seeking to be merged to GCC 14 Git in the coming days by Red Hat's Marek Polacek, the initial -fhardened options include:
-D_FORTIFY_SOURCE=3 (or =2 for older glibcs)
-D_GLIBCXX_ASSERTIONS
-ftrivial-auto-var-init=pattern
-fPIE -pie -Wl,-z,relro,-z,now
-fstack-protector-strong
-fstack-clash-protection
-fcf-protection=full (x86 GNU/Linux only)

Thus the sole "-fhardened" option enables position independent executables, fortify sources, stack protections, control flow protections, and other common recommended options that are suitable for enabling relatively broadly.

GCC -fhardened


Barring any last minute objections, this -fhardened patch will be merged soon for introduction in the GCC 14.1 stable release due out early next year.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week