undefined | Better HN

0 pointsSeirdy4y ago0 comments

Yes, fvisibility=hidden is a great addition; combined with LTO and a Clang toolchain, you can also add fsanitize=cfi. The CFI sanitizer adds a 1% perf penalty for a significant exploit mitigation. It complements -fcf-protection=full nicely.

You can also add fsanitize=shadow-stack (ARM) or fsanitize=safe-stack (x86_64) for stronger protection than -fstack-protector-all. This will cause many programs to crash.

0 comments

DyslexicAtheist4y ago

much appreciated thanks!!

SeirdyOP4y ago

Also you should skip ssp-buffer-size since fstack-protector-strong (let alone fstack-protector-all) should protect stacks regardless.

j / k navigate · click thread line to collapse

0 pointsSeirdy4y ago0 comments

You can also add fsanitize=shadow-stack (ARM) or fsanitize=safe-stack (x86_64) for stronger protection than -fstack-protector-all. This will cause many programs to crash.

0 comments

DyslexicAtheist4y ago

much appreciated thanks!!

SeirdyOP4y ago

Also you should skip ssp-buffer-size since fstack-protector-strong (let alone fstack-protector-all) should protect stacks regardless.

j / k navigate · click thread line to collapse