Programming in C or C++ often results in better application performance as both languages do not have the – sometimes clunky – abstractions that are present in higher level languages like Java, Python, C#. C/C++ allows for more flexibility in accessing OS resources including memory. The caveat is that C/C++ does not have the inbuilt protection, provided by higher level languages, that reduce or eliminate the possibility of security vulnerabilities like stack overflows, heap overflows, integer overflows, integer underflows, format string attacks etc.
Attackers take advantage of programming mistakes made by C/ C++ developers to exploit the applications and in some cases the underlying operating system. Secure C/C++ coding is the very first step, and another line of defense are compilation options make it much harder to exploit C/C++ vulnerabilities reliably; even if the code is flawed.
This table compares the actual compilation flags for GCC and Clang compilers.
| Functionality | GCC Commands | Clang Commands |
|---|---|---|
| Data execution Prevention | LDFLAGS="-z noexecstack" | "-fsanitize=safe-stack" |
| Data relocation and Protection (RELRO) | LDFAGS="-z relro -z now" | "-Wl,-z,relro -Wl,-z,now " |
| Stack-based buffer overrun detection: | CFLAGS=”-fstack-protector-strong”if using GCC 4.9 or newer, otherwise CFLAGS="-fstack-protector" | "-fstack-protector" |
| Position independent execution (PIE) | CFLAGS="-fPIE -fPIC" LDFLAGS="-pie" (PIE for executables only) | “-fpie -pie” for binaries and “-fPIC” for shared libraries |
| Fortify source | CFLAGS="-O2 -D_FORTIFY_SOURCE=2" | "-D_FORTIFY_SOURCE=2” |
| Format string vulnerabilities | CFLAGS="-Wformat -Wformat-security" | “-Wformat -Wformat-security" |
| *Control flow integrity | ___ | "-fsanitize=cfi" |
Wondering what those flags mean? this list should help:
- Stack Protection or Stack Canaries are values placed in memory such that stack overflows will overwrite the values. These values are
- DEP or Data Execution Prevention introduces an additional stack, separated from the unsafe stack, that stores return addresses and other
- PIE or Position Indépendant Executable allows a program to utilize the ASLR or Address Space Layout Randomization of an operating system. It build an executable so an ASLR enabled operating system can move various memory segment of the executable or library into randomize memory locations, making it more difficult for an attacker to understand a system’s memory layout.
- RELRO or Data Relocation Prevention hardens the data sections of an ELF binary/process which prevents some GOT (Global Offset Table) overwrite attacks. The GOT is a table of addresses which resides in the data section
- Fortify Source instructs the compiler to use buffer-length aware replacements for dangerous functions like strcpy, memcpy, memset, etc.
- Format String flags ensure that the compiler issues a warning on potential formatting attack i.e. using the printf function with unsanitized user arguments
- Control flow integrity for Clang: An implementation of a number of control flow integrity (CFI) schemes, which are designed to abort the program upon detecting certain forms of undefined behavior that can potentially allow attackers to subvert the program’s control flow. These schemes have been optimized for performance, allowing developers to enable them in release build.
