I have been adding some "compilation flags" to activate security measures in my binary. And then I check that the measures are implemented using the checksec tool. I have been able to activate all of them except for FORTIFY.
I keep geting
FORTIFY = No, Fortified = 0, Fortifiable = 4
as output from checksec even after compiling with -D_FORTIFY_SOURCE=2
I have to say that I use a common CMakeLists.txt for many binaries and I added the -D_FORTIFY_SOURCE=2 in the global add_compile_options section.
For all the other generated binaries the macro has the expected behavior, that is, the other binaries get "fortified".
I am using gcc 9.3.0, my application is written in c++17 and I compile with -O2.
Does someone have an idea why my binary is not getting fortified?
Thanks in advance.
Fortification done by checksec script is done heuristically: by grepping for
_chk
symbols in output ofreadelf --dyn-syms
. So it will only be able to detect fortification ifmemset
,memcpy
, etc.)__OPTIMIZE__
is defined and greater than zero)gimple_fold_builtin_memory_chk
in gimple-fold.c)To identify the exact cause of your particular case we'll need an MVCE.