Ticket #1128 (closed task: fixed)
switching from "-fstack-protector" to "-fstack-protector-strong" in Fedora 20
|Reported by:||halfie||Owned by:|
The new compiler flag "-fstack-protector-strong" in Fedora 19's gcc achieves a better balance between security and performance (when compared against the default -fstack-protector and available -fstack-protector-all options).
I am proposing to switch from using the "-fstack-protector" flag to "-fstack-protector-strong" in Fedora 20. The switch involves changing a single line in /usr/lib/rpm/redhat/macros file.
- In preliminary benchmarking, using "-fstack-protector-strong" did not result in any performance regressions.
- Benefit over "-fstack-protector-all" => gains big performance while sacrificing little security.
- Benefit over the current default "-fstack-protector" => "-fstack-protector" is regarded as "not secure enough" (only "protects" < 2% functions in Chromium project). "-fstack-protector-strong" hits the balance between the over-simplified "-fstack-protector" and over-killing "-fstack-protector-all".
- Google Chromium project has been using this compiler option for over an year now with "no securiy degradation".
- FWIW, "-fstack-protector-strong" evaluation and possible inclusion is on Ubuntu's road-map as well.
(I have paraphrased and summarized multiple posting by Han Shen, the developer of "-fstack-protector-strong" patch).
- The design and implementation of "-fstack-protector-strong" can be found at,
The stack-protector option is over-simplified, which ignores pointer cast, address computation, while the stack-protector-all is over-killing, using this option results in too much performance overhead.
"-fstack-protector-strong" tries to hit the balance between an over-simplified version and an over-killing protection schema.
- "-fstack-protector-strong" chooses more functions to be protected than "stack-protector", it is a superset of "stack-protector", for functions not chosen by "stack-protector". "stack-protector-strong" will apply protection if any of the following conditions meets.
- if any of its local variable’s address is taken,as part of the RHS of an assignment
- or if any of its local variable’s address is taken as part of a function argument.
- or if it has an array, regardless of array type or length
- or if it has a struct/union which contains an array, regardless of array type or length.
- or if function has register local variables
I am currently working on running more benchmarks.
- Cc jakub added
- Keywords security,hardening,packaging,meeting added; security,hardening,packaging removed