[Owasp-leaders] C Based Toolchain Hardening Cheat Sheet
tim.morgan at owasp.org
Sun Mar 10 17:39:10 UTC 2013
This is great. We definitely need a good reference for this stuff.
One thing I've noticed about this and other resources that discuss
these flags is that they don't offer a way to test to make sure the
desired options are actually taking effect. I've found that with GCC,
if you don't use the flags in the right combinations and at the right
time in the build process, it can fail to apply options you thought
you had specified. And worse: it can fail silently in this respect.
I have found this tool to be helpful in verifying several of these
build options in compiled libraries and executables:
I recommend adding a link to it and any other tools that can help in
this area for other platforms.
A second observation: Often when developers come to figure out what
they need to do to harden their binaries, they just want a bulleted
list of flags they need to add and where. That is, a true cheat
sheet. The current prose descriptions of options is definitely useful
in explaining what each of these things does, and I wouldn't change
the format. However I suggest adding in a separate section a summary
of options organized by compiler/platform that can achieve all of the
suggested hardening steps so developers can quickly zero in on the
actionable steps needed for their software.
Thanks to Jeffrey and other contributors for getting this started.
Keep up the good work.
On Sun, Mar 10, 2013 at 10:10:27AM -0700, Jim Manico wrote:
> Here is a unique and interesting cheat sheet that was just added to the
> series. This cheat sheet was authored by Jeffrey Walton.
> *C-Based Toolchain Hardening Cheat Sheet* is a brief treatment of
> project settings that will help you deliver reliable and secure code
> when using C, C++ and Objective C languages in a number of development
> environments. It will guide you through the steps you should take to
> create executables with firmer defensive postures and increased
> integration with the available platform security. Effectively
> configuring the toolchain also means your project will enjoy a number of
> benefits during development, including enhanced warnings and static
> analysis, and self-debugging code.
> I hope you enjoy!
> Jim Manico
> OWASP Volunteer
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
More information about the OWASP-Leaders