harden the build

[andlabs]

see telegramdesktop/tdesktop#1112

TODO other sanitizers?

[jvoisin]

There is a small list of things to consider here.

[andlabs]

Thanks; I'll keep this in mind too.

[andlabs]

also use the clang static analyzer

[andlabs]

-fsanitize=memory

[asarubbo]

Hello.
While is fine add hardening flags, to prevent overflow to be exploited, if you talk about asan, just consider this: http://www.openwall.com/lists/oss-security/2016/02/17/9

[andlabs]

Yes, I'm aware I'm using "hardening" as a generic term here. With the cmake scripts I have set up I can make it so that asan and what not are only included in the debugging builds if I do switch them on (and I really should); thanks for the note!

[andlabs]

golang/go#23937 (comment)

[andlabs]

http://clang.llvm.org/docs/ControlFlowIntegrity.html

[DemiMarie]

If using clang, we can use -fsanitize=undefined -fsanitize-trap-on-error in production. That is not only safe, but also a significant security improvement.

[andlabs]

Interesting. Do you have any more information (such as links) about those options?