Ryan Hill <[email protected]> wrote:
>
> * -fstack-protector{-all}
> No thank you. -fstack-protector has very limited coverage
I'd say it covers most cases where bugs can be made,
practically without a severe impact on execution time or code size.
In contrast, -fstack-protector-all should be left to hardened, since
its impact is unacceptable to e.g. multimedia systems - the
protection is probably over-the-top for normal users.
I'd vote for enabling -fstack-protector by default:
I am using it since many years (though I do not use hardened profile,
since -fstack-protector-all had too much a performance impact for me).
> -fstack-protector-strong
One can later still change to this when >=gcc-4.9 is available in stable.
> * -Wl,-z,relro
> Enabled by default since binutils 2.18
This gives its real impact on secutiry only when combined with
* -Wl,-z,now
The latter is not enabled by default AFAIK.
The latter can slightly decrease load times, but repeated starting is
usually even faster with it. Thus, performance impact is somewhat
balanced, but it increases security slightly (though it would need
a good expert to exploit the problems when it is not used).
I am strongly suggesting to use -Wl,-z,now (and filter it on some
packages which won't work with it like xorg drivers).
I am also using this flag for many years (filtering certain packages;
if desired, I can post a list).
I would like to suggest also another flag
* -Wl,-z,noexecstack
This should be the default, but e.g. some broken gcc versions
forgot this default when using -flto.
I am using this flag since I realized this -flto bug and never
had any problems with it.
> * -Wl,--hash-style=3D{both,gnu}
I don't know what this has to do with security.
However, isn't it time to use "gnu" now for all users? Except for
very strange binary-only code it should not cause any problems.
The majority of users would not realize a difference but profit
from smaller binaries.
> * -Wl,--as-needed
The impact on security is at most rather implicit, if at all.
