AD3020: EnableOptimization¶
Summary¶
| Property | Value |
|---|---|
| ID | AD3020 |
| Name | EnableOptimization |
| Category | Performance |
| Severity | Warning |
| Applies to | ELF (Linux/Unix) |
Description¶
This rule checks whether ELF binaries were compiled with optimization enabled. Optimization level -O2 or higher is required for several security features to work correctly, most notably FORTIFY_SOURCE.
Why This Matters¶
Optimization is a prerequisite for several security features. Without optimization, important security mechanisms like FORTIFY_SOURCE silently fail to activate, leaving the binary unprotected while appearing to be secure.
FORTIFY_SOURCE Dependency¶
FORTIFY_SOURCE replaces unsafe functions with checked versions:
// With -D_FORTIFY_SOURCE=2 and -O2:
strcpy(dest, src); // Becomes __strcpy_chk(dest, src, dest_size)
// Runtime check: does src fit in dest?
// With -D_FORTIFY_SOURCE=2 but -O0:
strcpy(dest, src); // Stays as strcpy() - NO PROTECTION!
// Compiler can't determine sizes
Why Optimization Enables Security¶
| Optimization Level | FORTIFY_SOURCE | Buffer Size Analysis |
|---|---|---|
| -O0 | Disabled | None |
| -O1 | Basic | Some |
| -O2 | Full | Complete |
| -O3 | Full | Complete |
| -Os | Full | Complete |
Security-Relevant Optimizations¶
Optimization enables multiple security improvements:
| Optimization | Security Benefit |
|---|---|
| Dead code elimination | Removes unused vulnerable code |
| Constant propagation | Enables buffer size checking |
| Inlining | Exposes more code to analysis |
| Devirtualization | Reduces indirect call targets |
The Debug Build Security Gap¶
Debug build (-O0, -g):
- Symbols for debugging ✓
- FORTIFY_SOURCE active? NO!
- Stack protector? YES (still works)
- ASLR? YES (still works)
Release build (-O2):
- Optimized code ✓
- FORTIFY_SOURCE active? YES!
- All protections active ✓
FORTIFY_SOURCE Levels¶
| Level | Checking | Overhead |
|---|---|---|
| _FORTIFY_SOURCE=1 | Compile-time only | Zero |
| _FORTIFY_SOURCE=2 | Compile + runtime | Very low |
| _FORTIFY_SOURCE=3 | Aggressive runtime | Low |
Protected Functions¶
FORTIFY_SOURCE protects many dangerous functions:
| Function Category | Examples |
|---|---|
| String | strcpy, strcat, sprintf |
| Memory | memcpy, memmove, memset |
| Wide char | wcscpy, wcscat |
| File I/O | fgets, fread |
Verification¶
# Check if FORTIFY_SOURCE is active
objdump -d binary | grep -c '__.*_chk'
# If count > 0, FORTIFY_SOURCE is working
# If count = 0, check optimization level
- FORTIFY_SOURCE requirement:
-D_FORTIFY_SOURCE=2requires-O1or higher to function - Dead code elimination: Removes unreachable code that may contain vulnerabilities
- Better code generation: Optimized code often has fewer exploitable patterns
- Stack usage: Optimized code typically uses less stack space
How to Fix¶
Enable optimization¶
# Recommended: -O2 for release builds
gcc -O2 -D_FORTIFY_SOURCE=2 -o myapp myapp.c
# For security-sensitive code, -O2 or -O3
gcc -O3 -D_FORTIFY_SOURCE=3 -o myapp myapp.c
# Note: -Os (size optimization) also enables FORTIFY_SOURCE
gcc -Os -D_FORTIFY_SOURCE=2 -o myapp myapp.c
Build system configuration¶
# CMake - set release build type
cmake -DCMAKE_BUILD_TYPE=Release ..
# Or explicitly set flags
set(CMAKE_C_FLAGS_RELEASE "-O2 -D_FORTIFY_SOURCE=2")
Verify the fix¶
# Check DWARF for optimization info
readelf --debug-dump=info myapp | grep -i "DW_AT_producer"
# Should show -O2 or similar
# Check for fortified functions (indicates FORTIFY_SOURCE is active)
nm myapp | grep "_chk"
Detection Method¶
aldur detects optimization level through:
1. DWARF debug info DW_AT_producer attribute
2. Presence of fortified function symbols (__*_chk)
3. Absence of debug-only constructs
Example¶
Note: Binary appears to be unoptimized
Pass: Binary is optimized
Important Note¶
Debug builds (-O0) are expected to lack optimization. This rule is informational and primarily ensures release builds have optimization enabled for security features to work.
See Also¶
- AD3030: UseGccCheckedFunctions - FORTIFY_SOURCE
- GCC Optimization Options