« HOW-TO: Tune Settings In sysctl.conf | Main | 关于小费 »
March 03, 2006
GCC 4.1 takes security into account
There are a lot cool things going on.
The infrastructure of GCC4 seems to be overhauled to accomodate more aggressive optimizations.
Besides optimization improvements, there are other significant security improvements:
GCC can now emit code for protecting applications from stack-smashing attacks. The protection is realized by buffer overflow detection and reordering of stack variables to avoid pointer corruption.
Some built-in functions have been fortified to protect them against various buffer overflow (and format string) vulnerabilities. Compared to the mudflap bounds checking feature, the safe builtins have far smaller overhead. This means that programs built using safe builtins should not experience any measurable slowdown.
See the files under the directory gcc/doc for more details.
Also see the GCC Wiki pages.
In summary the security improvements come in three parts:
1. An instrumentor that protects every potentially bad pointer access: mudflap
2. An implementation that only protects the stack: propolice
3. To improve performance some safe builtin operations can be used.
Posted by Roy at March 3, 2006 07:43 PM