Strengthening the Fort 🏰: OpenSSF Releases Compiler Options Hardening Guide for C and C++

By Thomas Nyman, Ericsson; David A. Wheeler, Linux Foundation; Mark Esler, Canonical; Siddhesh Poyarekar, Red Hat; Christopher “CRob” Robinson, Intel

In the fast-changing landscape of cybersecurity, OpenSSF has taken a significant step towards enhancing the security of C and C++ software. This effort addresses a persistent class of software defects that have affected software, including open source software (OSS), since the dawn of the Internet. By releasing a comprehensive “Compiler Options Hardening Guide for C and C++” the OpenSSF Best Practices Working Group aims to empower developers with the expertise and resources to build more secure C and C++ applications.

The guide has been made possible by the collective efforts of various organizations and individuals. It came to be after an initial donation of content from the network platform and telecommunications company Ericsson, and has since received valuable contributions from a number of individuals with invaluable insights into the C and C++ ecosystem and compilers from organizations including the Linux Foundation, Intel, Microsoft, Red Hat, Canonical, Control Plane, Woven by Toyota, and IBM.

In this blog post, we’ll explore the significance of this guide, understand the challenges of C and C++ security, and learn how it can help developers mitigate potential risks.

The C and C++ Hardening Challenge

C and C++ have consistently been the preferred languages for systems programming, embedded systems, and various performance-critical applications. While these languages offer great control and performance, they also introduce a unique set of security challenges. The design and low-level access of C and C++ make code in them susceptible to various vulnerabilities. These especially include memory-safety issues such as buffer overflows, format string vulnerabilities, and memory corruption.

Recently, there has been an increased focus on memory safety issues from leading cybersecurity organizations such as the U.S. Cybersecurity & Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the UK National Cyber Security Centre (NCSC). These authorities have collectively emphasized the significant risks posed by memory safety issues. Memory safety problems continue to account for a large portion of exploitable software vulnerabilities today. For instance, both Microsoft and Google have reported that approximately 70% of the security vulnerabilities in their respective products, including Microsoft’s software suite and the Chrome browser, can be attributed to memory safety issues. In almost all cases these occur because such mistakes are easy to make in C and C++.

However, addressing these vulnerabilities on a large scale presents several significant challenges: 

Firstly, it is unaffordable to rewrite all existing C and C++ code into another language. There are tens or potentially hundreds of billions of lines of code written in C or C++. These languages have been foundational in the digitalization of our society over the past decades.

Second, even if we eventually manage to widely phase out C and C++ in favor of safer languages, it won’t eliminate all security vulnerabilities. Even promising alternatives, such as Rust, currently rely on dependencies built on C, C++, or code that requires ‘unsafe’ language extensions. Recent data indicates that over 70% of Rust packages, also known as ‘crates’, have dependencies on C or C++.

To mitigate the risks associated with C and C++, developers need to make informed choices regarding compiler options to harden their software against memory-safety issues and other software defects. Compiler flags are powerful tools that can significantly enhance the security of C and C++ code. However, not all developers are well-versed in navigating the intricacies of the options available to them effectively. This is where the OpenSSF’s Compiler Options Hardening Guide offers important guidance to developers seeking to optimize the security of their software.

OpenSSF’s Compiler Options Hardening Guide

OpenSSF’s Compiler Options Hardening Guide is a comprehensive resource that helps developers better understand the security implications of compiler options in C and C++. It covers a wide range of topics, including:

• Recommended compiler options – This section outlines a collection of widely used compiler options flags in open source compilers. The recommendations include both flags that will warn developers about, as well as harden software against prevalent defects, including buffer overflows and other sources of memory corruption. The majority of these options are already enabled by the major Linux distributions today.
• Discouraged compiler options – This section identifies specific compiler options flags that, when used  inappropriately, may result in potential defects with significant security implications in produced binaries.
• Sanitizers – This section introduces developers to compiler-based tools designed to detect and pinpoint memory-safety issues and other defects in applications. While the use of sanitizers may be prohibitively expensive for release configurations in terms of performance penalties and memory overhead, they are highly valuable diagnostics tools during debugging and testing phases.

Why This Guide Matters

The Compiler Options Hardening Guide addresses the critical need for comprehensive resources to navigate compiler options flags important for C and C++ security. By making this guide freely available to developers, OpenSSF is promoting security best practices and helping to raise the overall security standards in the industry.

Here are the key reasons why this guide matters:

1. Vulnerability Prevention and Mitigation: The guide helps developers proactively minimize potential security vulnerabilities in their code by understanding and applying the recommended compiler options.
2. Improved Developer Education: The guide is an educational resource that can help both novice and experienced developers make informed decisions about compiler options.
3. Collaboration and Best Practices: It encourages collaboration within the open-source community and the adoption of best practices for secure software development.
4. Free and Open Access: OpenSSF’s commitment to free access ensures that even projects with limited resources can benefit from enhanced security practices.

For example, the _FORTIFY_SOURCE feature, when enabled according to the guide’s recommendations, hardens many C standard library functions against buffer overflows and assists in discovering memory safety issues. In the past year, several prominent open source projects, such as Qemu, Bind 9, autogen, and PRIMA have successfully identified  and fixed previously unknown buffer overflow or undefined behavior defects thanks to enhancements in the  _FORTIFY_SOURCE feature.

Memory safe languages, like Rust, are exciting and necessary, but will take time to become established for systems-level programming. Code such as Linux kernel filesystems cannot simply be rewritten overnight and even if they were rewritten overnight, it would take years to get that code widely-deployed. Security hardening compiler options for  C and C++ make the languages safer to use. These practices are not mutually exclusive. We can meet in the middle to secure the FOSS ecosystem by using both memory safe languages and compiler options hardening.

How to get involved

If you are developing software in C or C++, we encourage you to explore the guide available here: Compiler Options Hardening Guide for C and C++

While this blog post announces the initial release of the guide, our work is far from over. Improving software is more important than ever. The adoption of security features by leading compilers is growing. We hope in the future to add information on more compilers (such as those from Intel and Microsoft) and to add more options. Our aim is to continuously update the guide.

If you are interested in contributing you can join the welcoming BEST WG community on GitHub and on the OpenSSF Slack channel. The C/C++ Compiler Hardening Guide initiative convenes for calls every other Wednesday at 14:00 UTC.

For more ways to get involved in OpenSSF initiatives, please visit our Get Involved page.

About the Author(s)

Thomas Nyman leads the C/C++ Compiler Hardening Guide initiative under the OpenSSF Best Practices Working Group. He is a Senior Security Technology Specialist at Ericsson where he works with platform security for critical telecommunications infrastructure. He holds a PhD in Computer Science from Aalto University, Finland, where he worked on systems security research in the areas of mobile and embedded platform security.

David A. Wheeler is the Director of Open Source Supply Chain Security at the Linux Foundation. Dr. Wheeler has a PhD in Information Technology, a Master’s in Computer Science, a certificate in Information Security, a certificate in Software Engineering, and a B.S. in Electronics Engineering. He is a Certified Information; Systems Security Professional (CISSP) and Senior Member of the IEEE. He lives in Northern Virginia.

Mark Esler is an Ubuntu Security member who focuses on security maintenance, auditing software, coordinating vulnerabilities, and is working to harden Ubuntu compiler flags.

 

Siddhesh Poyarekar is the Security Lead for the Platform Tools group at RedHat. He is one of the lead maintainers of the GNU C Library and a contributor to GCC.

 

Christopher Robinson (aka CRob) is the Director of Security Communications at Intel Product Assurance and Security and a community leader within the Open Source Security Foundation (OpenSSF).