Skip to content

Security: Add comprehensive security compiler flags #95

New issue
New issue
Open
Open
Security: Add comprehensive security compiler flags#95
Labels
enhancementNew feature or request
@m-marinucci

Description

@m-marinucci
m-marinucci
opened on Aug 1, 2025

Context

As identified in PR #89 review, the security check only looks for basic warning flags and misses important security-related compiler flags.

Current Check

if ! grep -q "Wall\|Wextra\|Werror" "$file"; then
    echo "INFO: Consider adding compiler warnings in $file"
fi

Missing Security Flags

Essential Security Flags

  1. Format String Protection

    • -Wformat: Check printf/scanf format strings
    • -Wformat-security: Warn about format string security issues
    • -Wformat=2: More extensive format checking

  2. Position Independent Executable

    • -fPIE: Generate position-independent code
    • -pie: Link as position-independent executable

  3. Stack Protection

    • -fstack-protector-strong: Strong stack smashing protection
    • -fstack-clash-protection: Protect against stack clash

  4. Fortify Source

    • -D_FORTIFY_SOURCE=2: Runtime buffer overflow detection

  5. Other Important Flags

    • -Wl,-z,relro: Read-only relocations
    • -Wl,-z,now: Resolve all symbols at startup
    • -fno-strict-overflow: Prevent signed overflow optimizations

Proposed Implementation

CMake Security Configuration

# Security-enhanced compiler flags
if(CMAKE_CXX_COMPILER_ID MATCHES "GNU|Clang")
    add_compile_options(
        -Wall -Wextra -Werror
        -Wformat=2 -Wformat-security
        -fstack-protector-strong
        -fPIE
        -D_FORTIFY_SOURCE=2
        -Wl,-z,relro -Wl,-z,now
    )
    
    if(CMAKE_CXX_COMPILER_ID STREQUAL "GNU")
        add_compile_options(-fstack-clash-protection)
    endif()
endif()

# Link flags for PIE
set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -pie")

Enhanced Security Check Script

check_security_flags() {
    local file="$1"
    local missing_flags=()
    
    # Check for each security flag
    for flag in "Wall" "Wextra" "Werror" "Wformat" "Wformat-security"                 "fPIE" "pie" "fstack-protector" "D_FORTIFY_SOURCE"; do
        if ! grep -q "$flag" "$file"; then
            missing_flags+=("$flag")
        fi
    done
    
    if [ ${#missing_flags[@]} -gt 0 ]; then
        echo "WARNING: Missing security flags in $file: ${missing_flags[*]}"
        return 1
    fi
    
    return 0
}

Benefits

  • Enhanced protection against common vulnerabilities
  • Better ASLR (Address Space Layout Randomization) support
  • Stack overflow protection
  • Format string vulnerability prevention
  • Runtime buffer overflow detection

References

Related: PR #89

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions