[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: gnucobol-3.1-rc1 and -U_FORTIFY_SOURCE

From: Jeffrey Walton
Subject: Re: gnucobol-3.1-rc1 and -U_FORTIFY_SOURCE
Date: Tue, 14 Jul 2020 06:51:41 -0400

On Tue, Jul 14, 2020 at 6:31 AM Edward Hart <edward.dan.hart@gmail.com> wrote:
> Hi James,
> Thanks for bringing this up; this is an interesting topic.
> Do you think it would be worth hardening builds by default? The Debian and 
> Red Hat articles you link don't mention many downsides (other than maybe 
> performance). It shouldn't be too hard to extend configure to check for the 
> hardening options. But I'm not sure if package maintainers have any 
> expectations for what should be in default CFLAGS/LDFLAGS.

Debian and Fedora often apply the hardening through a GCC spec file.
The rub is, it usually only applies to the more recent releases.

With that said, older compilers, non-GCC compat compilers and older
platforms often lack some of the flags. Older platforms can have a
newer compiler, too. The BSDs are legendary for security but notorious
for missing hardening, like PIE/ASLR. Just try running checksec on
cobc on FreeBSD, OpenBSD or NetBSD.

What I prefer to do is, enable hardening by default. If a user wishes,
they can turn off hardening with --disable-hardening configure option.
It keeps the auditors happy because it is a firm security posture out
of the box. Users don't have to do anything special to get the

It looks something like this in configure.ac

# These are for the BSDs. Legendary for security, but missing secure flags.
AX_CHECK_COMPILE_FLAG([-fstack-protector-all], [AM_CFLAGS="$AM_CFLAGS
-fstack-protector-all"], [
[AM_CFLAGS="$AM_CFLAGS -fstack-clash-protection"])
AX_CHECK_COMPILE_FLAG([-mcet -fcf-protection], [AM_CFLAGS="$AM_CFLAGS
-mcet -fcf-protection"])
AX_CHECK_COMPILE_FLAG([-fexceptions], [AM_CFLAGS="$AM_CFLAGS -fexceptions"])

# These are for the BSDs. Legendary for security, but missing secure flags.
AX_CHECK_COMPILE_FLAG([-Wl,-z,relro], [AM_CFLAGS="$AM_CFLAGS -Wl,-z,relro"])
AX_CHECK_COMPILE_FLAG([-Wl,-z,now], [AM_CFLAGS="$AM_CFLAGS -Wl,-z,now"])
AX_CHECK_COMPILE_FLAG([-Wl,-z,defs], [AM_CFLAGS="$AM_CFLAGS -Wl,-z,defs"])

BLAKE2 builds a program, so it uses -fPIC/-pie. A shared object would
use -fPIC/-shared.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]