Compilation: enable PIE and PIC

shadowproject / shadow

ShadowCore integration/staging tree

MIT License

95 stars 60 forks source link

Compilation: enable PIE and PIC #68

Open kewde opened 7 years ago

kewde commented 7 years ago

For security reasons it's better to compile our code with position indepent code/execution, rendering the stack unexecutable protecting against buffer overflows.

LevelDB needs to be compiled with -fPIC Shadow needs to be compiled with -e PIE=1

The makefile.unix in src specifies a way (scanelf) to check if a binary is compiled with non-executable stack.

kewde commented 7 years ago

All libraries we use need to be compiled with -fPIC. The stack remains executable for the application if one library is not compiled as position independent.

I'm not statically compiling Shadow on my development environment so I can't make these edits for now.

fPIC list:

[x] LevelDB
[ ] Boost
[ ] Qt

Please note, this list is not exhaustive/complete.

Our main application is compiled with stack canaries which adds a layer of protection to our code, while this issue is not crucial, every bit helps.