enhancing secure compilation options

Question

enhancing secure compilation options

Closed this issue a year ago · 2 comments

-fstack-protector is used to detect buffer overflow，but it's not enough, -fstack-protector-strong is recommended, thx for your reply.

Answer 1 · 2023-07-04T13:50:35.000Z

Hello @BornThisWay, thank you for the good proposal!
We'll evaluate this flag's security and performance impact on the library and introduce it in case the analysis shows it's necessary to be added.

P.S. Sorry for the long reply.

Answer 2 · 2023-08-08T08:50:25.000Z

Hi @BornThisWay,

We have done the analysis on our side.
Unfortunately, -fstack-protector-strong flag causes significant performance impact for some of the IPP Crypto algorithms.

We double checked that "buffer overflow detection" is performed by our static code analyzers - based on the report we have zero such issues in IPP Crypto.

We decided not to introduce -fstack-protector-strong now (potentially we will revisit this decision in future)

Please let me know if you have any questions.