AD5028: EnableOptimizationMachO¶
Summary¶
| Property | Value |
|---|---|
| ID | AD5028 |
| Name | EnableOptimizationMachO |
| Category | Performance |
| Severity | Warning |
| Applies to | Mach-O (macOS, iOS) |
Description¶
Mach-O release binaries should be compiled with optimization enabled. Unoptimized binaries are larger, slower, and may miss security-relevant optimizations.
How It Works¶
The rule checks for optimization indicators:
- DWARF debug info optimization level
- Binary size and structure patterns
- Compiler optimization markers
Why This Matters¶
Optimization is not just about performance - it also enables security-relevant transformations.
Security-Relevant Optimizations¶
| Optimization | Security Benefit |
|---|---|
| Dead code elimination | Smaller attack surface |
| Inlining | Better bounds check propagation |
| Constant folding | Removes exploitable patterns |
| Stack slot reuse | Less predictable layout |
Optimization Levels¶
| Level | Security | Performance |
|---|---|---|
| -O0 | Baseline | Slowest |
| -O1 | Better | Faster |
| -O2 | Good | Fast |
| -O3 | Good | Fastest |
| -Os | Good | Size-optimized |
| -Oz | Good | Minimum size |
Debug vs Release¶
| Build | Optimization | Debug Info |
|---|---|---|
| Debug | -O0 | Full |
| Release | -O2/-O3 | Optional |
| RelWithDebInfo | -O2 | Full |
FORTIFY_SOURCE Requirement¶
# _FORTIFY_SOURCE requires optimization
-D_FORTIFY_SOURCE=2 -O2 # Works
-D_FORTIFY_SOURCE=2 -O0 # Warning: FORTIFY disabled
Resolution¶
Ensure release builds use optimization:
CMake Configuration¶
Xcode Settings¶
Ensure Release configuration uses:
- Optimization Level: -O2 or higher
- Deployment Postprocessing: Yes