On the Windows/MSVC builds of the product I work on, I've turned on the
"GuardStack" compiler option (/GS) which puts in fences to detect buffer
overruns in functions that the compiler thinks need it. Now I'm looking
at other platforms.
GCC has -fstack-protector and -fstack-protector-all. There's also the fairly
new -fstack-protector-strong, but I need to support Linuxes that are too
old to have that.
Clang has Address Sanitizer, but that seems to cost too much performance
for production code - with a bit of work, one can get the /GS losses down
to 2% or less with MSVC.
Clang also accepts GCC's -fstack-protector and -fstack-protector-all, but
they don't seem to do anything: taking assembly listings for a simple test
program compiled with and without -fstack-protector-all and diffing them
reveals no differences at all. I'm using OS X 10.9.2 with a Clang from Xcode
that reports itself as:
Apple LLVM version 5.0 (clang-500.2.79) (based on LLVM 3.3svn)
Are -fstack-protector and -fstack-protector-all just being accepted and
ignored?
Microsoft has another setting for high-risk source code files: #pragma
strict_gs_check(on). Use it for, for example, a parser that accepts
untrusted input from the internet. I don't believe Linux/GCC has a
similar setting.
Yes ... I'm not clear what good this does me with Clang.
Microsoft has another setting for high-risk source code files: #pragma
strict_gs_check(on). Use it for, for example, a parser that accepts
untrusted input from the internet. I don't believe Linux/GCC has a
similar setting.
Yup. I don’t have anything that's truly high-risk, but we document that
option for our Windows customers to use where appropriate. The product
is a closed-source mathematical modelling library that gets embedded
in end-user applications by our customers.