Linux binaries lack some common hardening mechanisms #837
Description
Linux binaries are built without some common security hardening options enabled. In particular there is no stack protection or checking of unsafe glibc function usage (fortify sources).
This can be checked with the hardening-check tool from Debian which can be installed using apt install devscripts.
# curl -SLO https://github.com/astral-sh/python-build-standalone/releases/download/20251028/cpython-3.13.9+20251028-aarch64-unknown-linux-gnu-install_only_stripped.tar.gz
# tar xf cpython-3.13.9+20251028-x86_64-unknown-linux-gnu-install_only_stripped.tar.gz
# ./python/bin/python3 --version
Python 3.13.9
# hardening-check ./python/bin/python3
./python/bin/python3:
Position Independent Executable: yes
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: no, not found!
Stack clash protection: unknown, no -fstack-clash-protection instructions found
Control flow integrity: no, not found!
Branch Protection: no, not found!
Compare this to the python3 shipped with Debian trixie
# /usr/bin/python3 --version
Python 3.13.5
# hardening-check /usr/bin/python3
/usr/bin/python3:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no, not found!
Stack clash protection: unknown, no -fstack-clash-protection instructions found
Control flow integrity: no, not found!
Branch Protection: no, not found!
OpenSSF recently published a Compiler Options Hardening Guide for C and C++ which discusses these mechanisms.