New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feedback before initial release of Compiler Options Hardening Guide for C and C++ #250
Comments
Hi, This guide is quite comprehensive! My only current suggestion is that as a developer, I would really appreciate more info about this:
It would be helpful if for each option (or only the relevant options), a statement was made as to what the performance or other drawbacks are and any relevant workarounds. |
Thank you for the feedback @tcullum-rh. They way in which we have tried to accommodate this in the current version of the guide are the Performance implications and When not to use? sections in the detailed descriptions for each option (excluding the Warning options, as they do not impact the produced binary directly). For example, for -fstack-protector-strong:
In general, the performance impact is surely the most frequently asked question when considering the deployment of these types of compiler options. Sadly, it is very difficult to estimate the impact in general, as it is dependent on the interaction with specific characteristics of the source code. Therefore, we've opted to try and characterize where the overhead comes from to try to help developers with how to measure the overhead in meaningful benchmarks in their project. We are of course open to other suggestions of what kind of information would be useful for practitioners. |
@tcullum-rh : We agree in principle that important issues/caveats with an option should be mentioned with the option. In several cases where the issues are clear we have tried to do this. Sadly, often the answer is the lawyer's answer: "It depends". Whether or not there's a nontrivial performance impact often depends on many other factors, in particular, optimizations can sometimes (but not always) reduce or eliminate performance costs. If there's an important case where there's a clear issue and we haven't discussed it, please propose adding it! In general, the only way to answer the question is to run benchmarks. Everything else is only a quick estimate of the likely result. |
I received the following feedback from Daniel Stenbert, author of curl:
Note: We could try to tighten up some prose. We could also split the "summary" page from a "details" page. I don't know that we need to do that on this initial release but it's something worth discussing!
I agree that we don't normally want warnings from system headers. However, in gcc I hate to clutter up the options with default values. Maybe we should mention this as "we assume that warnings from system headers are suppressed, as is the default"? We could also mention that they might want to suppress warnings from third party include files as system headers, but that gets really specific - I'm not sure we can say in general how to do that (suggestions welcome).
I think this comment suggests we're on the right track (at least). Everyone agrees that compiler option flags won't magically make software totally secure. However, if these flags are already in use by widely-used projects like curl, that suggests we haven't gone off the deep end into impossible requests. We might want to emphasize that in practice projects end up with a specific set of flags (as much as you can do but no more). |
I created a PR #259 to briefly discuss system headers. |
Thank you for this! Could you consider adding And x86_64 should have Is |
For developers, could we recommend https://people.kernel.org/kees/bounded-flexible-arrays-in-c Distros need to test these flags and report breaks upstream before they can be a widely used. |
Please also add |
@kees: Thanks so much for your feedback! I think adding |
eslerm commented 24 minutes ago
FYI, we have a separate issue specifically discussing I'm supportive for adding I don't think people have seriously considered adding |
Thanks David. Ack on production use. Clang now supports level 3, but only on rather recent versions. There is a similar ongoing discussion with GCC: RFC: Introduce -fhardened to enable security-related flags. |
Clang supports |
This article has lots of ideas, I'm not sure we can do them all before an initial release: https://developers.redhat.com/articles/2022/06/02/use-compiler-flags-stack-protection-gcc-and-clang |
Per eslerm comment (#250 (comment)) I created a PR proposing to add branch protections here: #260 |
eslerm commented 4 days ago asked:
Interesting question. First, some context. I believe that The problem with these options is that many application developers do NOT recompile their own compiler. They instead use a compiler provided to them (e.g., the system compiler or one distributed for their chipset). So while these options are valid if you're recompiling the compiler (e.g., a Linux distro), I think we cannot remove We could add a note that "if you recompile the compiler itself, it's best to modify its configuration itself so its defaults are maximally secure for any software compiled using it. For example..." or something along those lines. |
I've created a PR to note that if you are compiling a compiler, make its defaults as safe/secure as you can. For many readers this isn't helpful (many developers do not compile their own compilers), but this is a useful note for Linux distributions and some others who do compile their own compilers: #261 |
I've added this PR to add |
I propose that before the initial release we merge the PRs in response to this issue. That is, at least accept #259, #260, #261, #262, #263. If there are other PRs that are (mainly) ready to go, let's get them in. I'd like our first draft to have at least the main agreed-on results that I believe are captured here. |
@gkunz @thomasnyman and others - I'd love to hear your thoughts on #259, #260, #261, #262, #263 . If you think they makes sense, please merge (or say it's okay to merge). We might want to implement #267 but I expect we'll create merge conflicts as long as we have a number of changes outstanding. Merge conflicts aren't the end of the world, but I'd rather not need to deal with them unnecessarily :-). |
I like the idea of this but this may deserve an "emerging features" section or similar (things we want to work towards). It's not suitable for global use right now, but it'd be great if anyone wants to take up work to get us there. Listing it as a goal would let us list it without giving people the wrong idea. |
We'll close this out as 1.0 is out now! |
Opening this issue for collecting feedback on the proposed Compiler Options Hardening Guide for C and C++ before its initial release.
Tagged release candidate for the guide can be found here.
The text was updated successfully, but these errors were encountered: