In a recent discussion led by Aaron Bullman, the main accompanying Clang compiler and a participant in the development commands of WG21 (C ++) and WG14 (C), the addition of security reinforcement to the Clang compiler was initiated. The proposed new mode aims to activate a set of options to strengthen protection, similar to the ” -fhardened” added to GCC 14. This includes options such as “-D_FORTIFY_SORCE = 3 -D_GLIBCXX_ASSERTIONS -FTRIVIAL-AUTO-VAR-mini-mini. -pie -wl, -z, redro, -z, now -fstack-proprong -strong -fstack-class-propration -fcf-propration = Full.”
Currently, efforts are underway to enhance security for C and C++, although progress may not be swift. While some individual options with added protection mechanisms are available in Clang, they can lead to code incompatibility or ABI violations, hindering default activation. These options, consisting of various compilation controls, machine instruction generation flags, warnings, diagnostic modes, and macros, are poorly documented and often overlooked by developers.
This proposed unified setting aims to simplify the application of security-related options. Various methods of activating the enhanced safety mode are being considered, including activating it through the “-fhardened” flag, settings like “–config = hardened,” and separate driver or compilation options like “-fhardeneed” and “-whardened.” The mode would encompass compiler capabilities, warnings, security strengthening in standard library functions, macros, language standard selection, refusal to compile outdated code using C89 and C++ 98 standards, and the inclusion of additional flags for the compiler, such as randomization of addresses.