GCC's new fortification level: The gains and costs
This article describes a new level of fortification supported in GCC. This new level detects more buffer overflows and bugs which mitigates security issues in applications at run time.
C programs routinely suffer from memory management problems. For several years, a _FORTIFY_SOURCE preprocessor macro inserted error detection to address these problems at compile time and run time. To add an extra level of security, _FORTIFY_SOURCE=3 has been in the GNU C Library (glibc) since version 2.34. I described its mechanisms in my previous blog post, Broadening compiler checks for buffer overflows in _FORTIFY_SOURCE. There has been compiler support for this builtin in Clang for some time. Compiler support has also been available for GCC since the release of version 12 in May 2022. The new mitigation should be available in GNU/Linux distributions with packaged GCC 12.
The following sections discuss two principal gains from this enhanced level of security mitigation and the resulting impact on applications.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25501065/DSCF7721.jpg)
