A little more than a year ago Google submitted a patch which added a -fstack-protector-strong option which was intended to strike a balance between -fstack-protector (used in Arch) and -fstack-protector-all which was considered too computationally expensive for google's chromiumos. All of these options introduce measures to protect compiled programs against stack overflow attacks to varying degrees of security and performance.
This google doc sums up what the new flag introduces: https://docs.google.com/document/d/1xXB … t?hl=en_US
My recently installed default /etc/makepkg.conf shows -fstack-protector (not -strong) in CFLAGS. Is there a specific reason that it has not yet been implemented in Arch, or has it simply just "not happened" yet?
Fedora 20 is now using -fstack-protector-strong. After some searching I couldn't find anything here or on the arch bugtracker which discusses the new option. I should add that I am by no means well-versed in security and this is something I would like to know more about.
Last edited by oboenerd (2013-12-08 03:13:19)
"I quoted myself." -oboenerd
This is something that should be brought up in the bug tracker I think. Though, interestingly this is not documented in the gcc man page nor the gcc info page.
Edit: I didn't follow your links, but I do remember reading about this. It would seem that this functionality has not been merged, as trying to use -fstack-protector-strong fails with:
gcc: error: unrecognized command line option '-fstack-protector-strong'
Last edited by WonderWoofy (2013-12-08 03:54:56)