Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider Wl,--as-needed and -Wl,--no-copy-dt-needed-entries for C and C++ Compiler Hardening Guide #510

Closed
thomasnyman opened this issue May 30, 2024 · 0 comments · Fixed by #571
Closed

Consider Wl,--as-needed and -Wl,--no-copy-dt-needed-entries for C and C++ Compiler Hardening Guide #510

thomasnyman opened this issue May 30, 2024 · 0 comments · Fixed by #571
Labels
Enhancement Product: Compiler Hardening Guide

Comments

@thomasnyman
Copy link
Contributor

The Wl,--as-needed flag tells the linker to link in the produced binary only the libraries containing symbols actually used by the binary itself. This can positively impact security by reducing the attack surface of the produced binaries in terms of, e.g., gadgets available for code reuse attacks.

The Wl,--no-copy-dt-needed-entries affects the resolution of symbols in dynamic libraries by limiting the symbol resolution to the shared library expected to contain a specific symbol. This is the default in ld. Potentially the inverse, Wl,--copy-dt-needed-entries could be added as a discouraged option as that allows symbols to be resolved implicitly linked libraries in application code.

References:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Enhancement Product: Compiler Hardening Guide
Projects
None yet
Milestone
No milestone
1 participant
@thomasnyman