Home Explore Blog CI



nixpkgs
31th chunk of `doc/stdenv/stdenv.chapter.md`
d9f8ccf18ad205a5b34d137dacbdbcf1abf1c37b2b6027450000000100000981
This flag adds the `-fno-strict-aliasing` compiler option, which prevents the compiler from assuming code has been written strictly following the standard in regards to pointer aliasing and therefore performing optimizations that may be unsafe for code that has not followed these rules.

#### `pie` {#pie}

This flag is disabled by default for normal `glibc` based NixOS package builds, but enabled by default for

  - `musl`-based package builds, except on Aarch64 and Aarch32, where there are issues.

  - Statically-linked for OpenBSD builds, where it appears to be required to get a working binary.

Adds the `-fPIE` compiler and `-pie` linker options. Position Independent Executables are needed to take advantage of Address Space Layout Randomization, supported by modern kernel versions. While ASLR can already be enforced for data areas in the stack and heap (brk and mmap), the code areas must be compiled as position-independent. Shared libraries already do this with the `pic` flag, so they gain ASLR automatically, but binary .text regions need to be build with `pie` to gain ASLR. When this happens, ROP attacks are much harder since there are no static locations to bounce off of during a memory corruption attack.

Static libraries need to be compiled with `-fPIE` so that executables can link them in with the `-pie` linker option.
If the libraries lack `-fPIE`, you will get the error `recompile with -fPIE`.

#### `shadowstack` {#shadowstack}

Adds the `-fcf-protection=return` compiler option. This enables the Shadow Stack feature supported by some newer processors, which maintains a user-inaccessible copy of the program's stack containing only return-addresses. When returning from a function, the processor compares the return-address value on the two stacks and throws an error if they do not match, considering it a sign of corruption and possible tampering. This should significantly increase the difficulty of ROP attacks.

For the Shadow Stack to be enabled at runtime, all code linked into a process must be built with Shadow Stack enabled, so this is probably only useful to enable on a wide scale, so that all of a packages dependencies also have the feature enabled.

This is currently only supported on some newer Intel and AMD processors as part of the Intel CET set of features. However, the generated code should continue to work on older processors which will simply omit any of this checking.
Title: Hardening Flags: nostrictaliasing, pie, and shadowstack
Summary
This section describes three hardening flags: `nostrictaliasing`, `pie`, and `shadowstack`. `nostrictaliasing` prevents unsafe compiler optimizations related to pointer aliasing. `pie` enables Address Space Layout Randomization (ASLR) for executables, making ROP attacks more difficult, and is enabled by default under certain conditions. `shadowstack` uses a hardware-supported feature to protect return addresses, increasing the difficulty of ROP attacks.