大佬教程收集整理的这篇文章主要介绍了g++/gcc的常用安全编译选项,大佬教程大佬觉得挺不错的,现在分享给大家,也给大家做个参考。
系统级的配置,不属于gcc编译器的范畴。
栈保护在编译阶段进行,所以下面的参数是传给编译器的。
直接上英文, 更容易明白。
-fstack-protector:
Emit extra code to check for buffer overflows, such as stack smashing attacks. This is done by adding a guard variable to functions with vulnerable objects. This includes functions that call alloca, and functions with buffers larger than or equal to 8 bytes. The guards are initialized when a function is entered and then checked when the function exits. If a guard check fails, an error message is printed and the program exits. Only variables that are actually allocated on the stack are considered, optimized away variables or variables allocated in registers don’t count.
-fstack-protector-all:
Like ‘-fstack-protector’ except that all functions are protected.
-fstack-protector-strong:
Like ‘-fstack-protector’ but includes additional functions to be protected — those that have local array definitions, or have references to local frame addresses. Only variables that are actually allocated on the stack are considered, optimized away variables or variables allocated in registers don’t count.
-fstack-protector-explicit:
Like ‘-fstack-protector’ but only protects those functions which have the stack_protect attribute.
说明:@H_618_46@
该保护作用于链接阶段,所以需要把参数传递给链接器。 使用-Wl,<optional>的格式传递给链接器。
使用格式为:-Wl, -z noexecstack 选项。可用于动态库、ELF格式的可执行文件。
作用原理@H_618_46@:首先,缓冲区溢出成功后都是通过执行sHellcode来达到攻击目的的, 而sHellcode基本都是放到缓冲区中,只要操作系统限制了堆栈内存区域不可执行状态就可以,一旦被攻击就报错并返回。
该保护作用于链接阶段, 同样把参数传递给链接器。
使用格式:
-Wl, -z relro: Create RELRO program header, RELRO表示 reLOCATIOn read only, 重定位段为只读。 GOT表就是用于重定位的。-Wl, -z now: Mark object non-lazy runtime binding作用原理@H_618_46@:动态链的ELF二进制程序使用称为全局偏移表(GOT)的的查找表去动态解析位于共享库的函数。攻击者通过缓冲区溢出修改GOT表项的函数地址来达到攻击目的。通过增加RELRO选项可以防止GOT表被恶意重写。 另外,GOT表的保护会影响到程序的加载速度。
作用阶段为编译器,参数格式为:-fPIC 或者 -fpic.
-fpic: Generate position-independent code (PIC) suitable for use in a shared library,
if supported for the target machine. Such code accesses all constant addresses
through a global offset table (GOT). The dynamic loader resolves the GOT
entries when the program starts (the dynamic loader is not part of GCc; it
is part of the operaTing system). If the GOT size for the linked executable
exceeds a machine-specific maximum size, you get an error message from the
linker inDicaTing that ‘-fpic’ does not work; in that case, recompile with ‘-fPIC’
instead. (these maximums are 8k on the SPARC, 28k on AArch64 and 32k on
the m68k and RS/6000. The x86 has no such limit.)
Position-independent code requires special support, and therefore works only on
certain machines. For the x86, GCC supports PIC for System V but not for the
Sun 386i. Code generated for the IBM RS/6000 is always position-independent.
When this flag is set, the macros pic@H_618_46@ and PIC@H_618_46@ are defined to 1.
-fPIC: If supported for the target machine, emit position-independent code, suitable
for dynamic linking and avoiding any limit on the size of the global offset table.
This option makes a difference on AArch64, m68k, PowerPC and SPARC.
Position-independent code requires special support, and therefore works only
on certain machines
作用于编译器, 参数格式为:-fPIE 或者 -fPIC, 与fPIC非常类似。
these options are SIMILAR TO ‘-fpic’ and ‘-fPIC’, but the generated positionindependent code can be only linked into executables. Usually these options are used to compile code that will be linked using the ‘-pie’ GCC option.
说明@H_618_46@: PIE是GCC与操作系统的产物,提供了地址无关的功能。 ASLR@H_618_46@是基础,只有操作系统开启了ASLR功能时,-fpie选项添加的随机化特征才会在程序加载和运行时展现。
stack-check选项作用于编译器。它会在每个栈空间最低层部分设置一个安全缓冲区,如果函数中申请的栈空间进入了该区域,就会触发异常。对应的英文资料如下:
Generate code to verify that you do not go beyond the boundary of the stack. You should specify this flag if you are running in an environment with multiple threads, but you only rarely need to specify it in a single-threaded environment since stack overflow is automatically detected on nearly all systems if there is only one stack. Note that this switch does not actually cause checking to be done; the operaTing system or the language runtime must do that. The switch causes generation of code to ensure that they see the stack being extended.
编译选项,使用了它之后,在执行有符号整数间的加减乘运算时,不是通过CPU的指令,而是用包含了GCC附属库的libgcc.c里面的函数来实现。对性能影响比较大。
以上是大佬教程为你收集整理的g++/gcc的常用安全编译选项全部内容,希望文章能够帮你解决g++/gcc的常用安全编译选项所遇到的程序开发问题。
如果觉得大佬教程网站内容还不错,欢迎将大佬教程推荐给程序员好友。
本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
如您有任何意见或建议可联系处理。小编QQ:384754419,请注明来意。