AD3050: EnableGccDefs
Summary
| Property |
Value |
| ID |
AD3050 |
| Name |
EnableGccDefs |
| Category |
Security |
| Severity |
Warning |
| Applies to |
ELF (Linux/Unix) |
Description
ELF binaries compiled with GCC should use recommended security-related preprocessor definitions that enable additional runtime protections.
How It Works
The rule checks for evidence of security-related definitions:
_FORTIFY_SOURCE usage_GLIBCXX_ASSERTIONS for C++- Other security-enhancing macros
Why This Matters
GCC provides several preprocessor definitions that enable additional security checks at minimal performance cost.
Key Definitions
| Definition |
Effect |
_FORTIFY_SOURCE=2 |
Checked versions of string/memory functions |
_GLIBCXX_ASSERTIONS |
C++ container bounds checking |
_FORTIFY_SOURCE=3 |
Enhanced fortification (GCC 12+) |
_FORTIFY_SOURCE Levels
| Level |
Protection |
| 0 |
Disabled |
| 1 |
Basic (compile-time only) |
| 2 |
Standard (compile + runtime) |
| 3 |
Enhanced (more coverage, GCC 12+) |
How Fortification Works
// Source code
char buf[10];
strcpy(buf, input);
// With _FORTIFY_SOURCE=2, becomes:
char buf[10];
__strcpy_chk(buf, input, 10); // Aborts if overflow detected
Functions Protected
| Category |
Examples |
| String |
strcpy, strcat, sprintf, gets |
| Memory |
memcpy, memmove, memset |
| Format |
printf, fprintf, snprintf |
| Wide |
wcscpy, wcscat, wmemcpy |
| Definition |
Overhead |
| _FORTIFY_SOURCE=2 |
<1% typical |
| _GLIBCXX_ASSERTIONS |
Variable |
Distribution Defaults
| Distribution |
_FORTIFY_SOURCE |
| Ubuntu |
2 |
| Fedora |
2 |
| Debian |
2 |
| Gentoo |
User choice |
Resolution
Enable security definitions:
gcc -D_FORTIFY_SOURCE=2 -O2 program.c
g++ -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS -O2 program.cpp
CMake Configuration
add_compile_definitions(
_FORTIFY_SOURCE=2
$<$<COMPILE_LANGUAGE:CXX>:_GLIBCXX_ASSERTIONS>
)
# Note: Requires -O1 or higher
add_compile_options(-O2)