1

I'm writing a C++ network daemon for Linux which by its nature will have to listen on the public internet.

Which GCC switches should I use to enable security features to make it harder for a possible attacker to exploit bugs in my program ?

Currently I'm using the stack protector. (GCC: -fstack-protector, LD: -Wl,-z,relro,-z,now).

Which other features should I enable (besides all warnings etc. about issues in my program) ? What about PIE ?

How do I check if the feature is actually active in the running process ? I found lsexec, but for example it doesn't show any process using PIE on my system, so I'm not sure how reliable it is.

Update:

So far I found the hardening guides from Debian and Ubuntu and this similar question. But nothing on how to check what is actually active in an executable, yet.

Community
  • 1
  • 1
Gene Vincent
  • 5,237
  • 9
  • 50
  • 86
  • 2
    Be aware that no set of compiler options will make it the least bit difficult to write insecure code. (You probably already know that.) – Keith Thompson Sep 05 '13 at 23:15
  • 1
    I am fully aware of that, but its also a fact of life that even the best code has some bugs left. So it is good to be prepared. – Gene Vincent Sep 05 '13 at 23:24
  • If compiler flags could do it all, then there wouldn't have exploits all over. Even ASLR and DEP fail at times. – devnull Sep 06 '13 at 05:22
  • 1
    I'm not asking for "do it all". I'm asking how to enable whats available, beyond the best programming I can do. So how do I enable ASLR and DEP on Linux and what else is there ? – Gene Vincent Sep 06 '13 at 05:57

0 Answers0