fstack-protector-strong anyone using it ? adding to Gentoo ?

[kernelOfTruth]

Hi,


since I stumbled over -fstack-protector-strong a few days ago at lkml

and just read some more on it (http://www.simonroses.com/2013/04/appsec-improve-your-software-security-with-gcc-stack-protector-strong/)

anyone has added it to your gcc / toolchain ?


if one of the toolchain-/security-related devs (zorry, ...) are reading this:

any plans to add this in the near future to the hardened or even default toolchain ?


Thanks for reading
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa

Hardcore Gentoo Linux user since 2004

[mv]

There was already a discussion on dev-ml when it was decided that -fstack-protector is added: Plans of gcc upstream are to include -fstack-protector-strong into gcc-4.9. Since the corresponding -fnostack-protector-strong makes no sense before gcc-4.9, I doubt that gentoo will discuss about putting it into default before gcc-4.9 is stabilized (in gentoo!). Since hardened includes even -fstack-protector-all by default, I doubt that they will relax this policy.

[kernelOfTruth]

oh, good to know

thanks mv


perhaps fstack-protector-strong could be used as an replacement for fstack-protector-all when things fail to compile or work at runtime

or for those who want more protection but don't like the slowdown & overhead of fstack-protector-all
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa

Hardcore Gentoo Linux user since 2004

[zorry]

fstack-protector-strong will most be enable by default on gcc 4.9 in gentoo and hardened will have -all as default.
_________________
gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1)

[kernelOfTruth]