Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify compiler options hardening limitations when linking to pre-built artifacts #706

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

thomasnyman
Copy link
Contributor

Clarify compiler options hardening limitations when linking to pre-built artifacts

Fixes #705

@jduck
Copy link

jduck commented Dec 13, 2024

Looks good to me! Thanks!!

@@ -116,6 +116,8 @@ Applications should work towards compiling warning-free. This takes time, but wa

Compiler options hardening is not a silver bullet; it is not sufficient to rely solely on security features and functions to achieve secure software. Security is an emergent property of the entire system that relies on building and integrating all parts properly. However, if properly used, secure compiler options will complement existing processes, such as static and dynamic analysis, secure coding practices, negative test suites, profiling tools, and most importantly: security hygiene as a part of a solid design and architecture.

Hardened compiler options only take effect in code that is compiled with the hardened options. Consequently, compiler options hardening does not benefit software that has been pre-built before hardened options have been adopted. This is particularly a concern for projects that incorporate pre-built (possibly third-party) libraries or other components. In such cases, it is important to understand what components a project is being linked against, and how they in turn are built, to determine which components benefit from compiler options hardening.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While code generation obviously only takes place during compilation, some compiler option flags are passed on to the linker and thus can have an impact after compilation. See in particular the -Wl options. So this needs a small weakening:

s/Hardened compiler options only take effect/In most cases hardened compiler options only take effect/

s/Consequently, compiler options hardening does not benefit software/Consequently, most compiler options hardening does not benefit software/

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 844372a.

@thomasnyman thomasnyman force-pushed the clarify-limitations-with-pre-built-artifacts branch from 02cbaba to 844372a Compare January 9, 2025 13:06
@thomasnyman thomasnyman self-assigned this Jan 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Clarification needed for projects linking against prebuilt static libraries
3 participants