Create Task
Maniphest T3917

Enable MinGW Windows hardening compiler flags
Open, LowPublic
Actions

Description

I think we should enable some hardening flags when compiling with MinGW.

  1. -Wl,--dynamicbase (linker flag) to enable ASLR (address space layout randomization) which should have been the default (MSVC enables this). This depends on the relocation table, so we have to make sure it is there too and is not stripped. Also enable -Wl,--high-entropy-va. Not sure if we have to specify base addresses above 4GB for more security? Implemented
  1. -Wl,--nxcompat (linker flag too) to enable DEP (data execution prevention) which should have been the default too (MSVC enables this too). Implemented
  1. Enable stack smashing protector (ssp): This can protect against buffer overflow by checking the return address at the end of a function. This implies a performance penalty, but does give a bit security. Use the flags -fstack-protector-all or -fstack-protector-strong for a balance between performance and security, we can set --param ssp-buffer-size=<something> to set the minimum buffer size to protect. (MSVC seems to have its version enabled by default)

Enabling these shouldn't really cause any problems, but still it should be tested.

Details

Differential Revisions
D3207: Enable DEP and HEASLR for mingw-w64 build

Related Objects
Search...

alvinhochun triaged this task as Normal priority.Oct 30 2016, 4:07 PM

I'm holding off changing the 3rdparty deps for now, I think I'll wait till next time the 3rdparty libs are updated, that should be the perfect time to add these flags.

I'm also holding off enabling the stack smashing protector (point 3) since it would most likely cause some performance degradation.

alvinhochun lowered the priority of this task from Normal to Low.Oct 30 2016, 4:30 PM
alvinhochun claimed this task.