Add API for Binary Hardening #2569
Description
What problem will this solve?
There have been efforts in recent years to harden STL implementations. GCC 14 added -fhardened to libstdc++ and MSVC 17.x's MS STL has the macro _MSVC_STL_HARDENING. Clang currently does not have a flag implemented, but there is an issue open (see llvm/llvm-project#122687) and it can be reasonably emulated today.
What might be a solution?
Add a hardened API. Then we could allow specifying various "hardened" aspects. Sample usage:
hardened {
"stl", -- Standard library hardening
"aslr", -- Address space layout randomization (fpic, pie, dynamic base)
"stack", -- Stack protection flags (-fstack-protector-strong, /GS)
"controlflow", -- Control Flow protection (-fcf-protection=full, /cetcompat /guard:cf)
}Another Option:
hardenstl "On/Off"
hardenaslr "On/Off"
hardenstack "On/Off"
controlflow "On/Off"Open Questions: libc++ has various STL hardening modes (none, fast, extensive, debug). MS STL has an additional "destructor pointer tombstone" option. Would we support these, and if so, how would we want to do this? I think Option 2 allows for us to extend this better, especially if compilers start to turn these on by default.
What other alternatives have you already considered?
Flags can be manually added via the buildoptions API.
Anything else we should know?
Flag Suggestions: https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
libstdc++ Hardening: https://gcc.gnu.org/wiki/LibstdcxxDebugMode
libc++ Hardening: https://libcxx.llvm.org/Hardening.html
MS STL Hardening: https://github.com/microsoft/STL/wiki/STL-Hardening