C++ flags Hardening Guide
Compiler Options Hardening Guide for C and C++ - OpenSSF / HN
When compiling C or C++ code on compilers such as GCC and clang, turn on these flags for detecting vulnerabilities at compile time and enable run-time protection mechanisms:
-O2 -Wall -Wformat -Wformat=2 -Wconversion -Wimplicit-fallthrough \
-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 \
-D_GLIBCXX_ASSERTIONS \
-fstrict-flex-arrays=3 \
-fstack-clash-protection -fstack-protector-strong \
-Wl,-z,nodlopen -Wl,-z,noexecstack \
-Wl,-z,relro -Wl,-z,nowC++ Profile
C and C++ are fundamentally memory-unsafe languages. That doesn’t make them bad languages, but it is a reality that you have to face when you work with them. And one of the things we’ve learned is that building safe abstractions, while not a complete solution, does quite a long way.
And then CISA suggested that “maybe we should stop using memory-unsafe languages.” … C++ profiles is a magic solution to the problem. - Safe C++ proposal is not being continued
see also
- No more leaks with sanitize flags in gcc and clang - run a memory sanitizer inside your program
- How to build highly-debuggable C++ binaries / HN
Written on April 25, 2024, Last update on April 12, 2025
debug-c++
c++-memory
compiler
security