aprsc icon indicating copy to clipboard operation
aprsc copied to clipboard
verified publisher icon hessu

Adding exploit mitigation CFLAGS and LDFLAGS

Open tobiasgyoerfi opened this issue 8 months ago • 3 comments

Adding various CFLAGS and LDFLAGS to Makefile.in to increase binary executable security. These flags enable mitigation techniques hardening the executable against memory corruption exploits.

For a full reference of available and recommended flags, see https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html.

tobiasgyoerfi avatar Apr 18 '25 13:04 tobiasgyoerfi

Thanks, this is something that I have considered doing myself. I was concerned that these might have to be selected in autoconf depending on the used compiler.

Have you checked that the options are present in the slightly older compilers on the supported platforms (http://he.fi/aprsc/INSTALLING.html), and does it still compile with clang on mac?

hessu avatar Apr 20 '25 07:04 hessu

Seems like the struct stat usage in uplink.c broke portability on macos as well, I'll fix that. I occasionally develop on the mac so I'd like to keep it working.

hessu avatar Apr 20 '25 07:04 hessu

Hi, thanks for your message! I've checked the gcc and clang versions in the distributions supported by aprsc and discovered that some of the older versions are already end-of-life or will be end-of-life during the next months:

  • Debian buster is shipped with gcc 8.3.0, clang 7.0-47 (EOS 2024-06-30)
  • Debian bullseye is shipped with gcc 10.2.1, clang 11.0-51
  • Debian bookworm is shipped with gcc 12.2.0, clang 14.0-55.7
  • Ubuntu 20.04 is shipped with gcc 9, clang 10.0 (EOS 2025-05-29)
  • Ubuntu 22.04 is shipped with gcc 11, clang 14
  • Fedora 39 (EOL 2024-11-26)
  • Fedora 40 (EOL 2025-05-28)
  • Fedora 41 is shipped with gcc 14, clang 18

If we want to support actively maintained distribution versions only, the minimum compiler versions required are gcc 10 and clang 11.

As far as I've checked, the following options cause problems with these (and lower) versions:

  • -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 // requires gcc >= 12, clang >= 9
  • -fstrict-flex-arrays=3 // requires gcc >= 13, clang >= 16
  • -fstack-clash-protection // requires gcc >= 8, clang >= 11
  • -fcf-protection=full // only x86_64
  • -ftrivial-auto-var-init=zero // requires gcc >= 12, clang >= 8

Some of the proposed compiler options enable additional run-time checks, others increase static analysis techniques. Especially for the second category, it would make sense to implement them gradually while fixing the new errors and warning on the way.

tobiasgyoerfi avatar Apr 20 '25 18:04 tobiasgyoerfi