From e4f3c9cd7723da6a7afcbd65839a800cec3c2ce3 Mon Sep 17 00:00:00 2001 From: John Freeman Date: Mon, 3 Jul 2023 09:41:12 -0500 Subject: [PATCH] build: add binary hardening compile and link flags (#4603) Enhance security during the build process: * The '-fstack-protector' flag enables stack protection for preventing buffer overflow vulnerabilities. If an attempt is made to overflow the buffer, the program will terminate, thus protecting the integrity of the stack. * The '-Wl,-z,relro,-z,now' linker flag enables Read-only Relocations (RELRO), a feature that helps harden the binary against certain types of exploits, particularly those that involve overwriting the Global Offset Table (GOT). * This flag is only set for Linux builds, due to compatibility issues with apple-clang. * The `relro` option makes certain sections of memory read-only after initialization to prevent them from being overwritten, while `now` ensures that all dynamic symbols are resolved immediately on program start, reducing the window of opportunity for attacks. --- Builds/CMake/RippledCompiler.cmake | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Builds/CMake/RippledCompiler.cmake b/Builds/CMake/RippledCompiler.cmake index 2fbb6004333..aa8f1d1eb76 100644 --- a/Builds/CMake/RippledCompiler.cmake +++ b/Builds/CMake/RippledCompiler.cmake @@ -13,7 +13,6 @@ link_libraries (Ripple::common) set_target_properties (common PROPERTIES INTERFACE_POSITION_INDEPENDENT_CODE ON) set(CMAKE_CXX_EXTENSIONS OFF) -target_compile_features (common INTERFACE cxx_std_17) target_compile_definitions (common INTERFACE $<$:DEBUG _DEBUG> @@ -108,6 +107,7 @@ else () -Wno-char-subscripts -Wno-format -Wno-unused-local-typedefs + -fstack-protector $<$: -Wno-unused-but-set-variable -Wno-deprecated @@ -120,6 +120,7 @@ else () target_link_libraries (common INTERFACE -rdynamic + $<$:-Wl,-z,relro,-z,now> # link to static libc/c++ iff: # * static option set and # * NOT APPLE (AppleClang does not support static libc/c++) and