问题描述
有人能指出 gcc -D_FORTIFY_SOURCE = 1 和 -D_FORTIFY_SOURCE = 2 之间的区别吗?我猜 = 2 更安全?我一直没有找到一个逐点列出差异的列表。
我也读过 -D_FORTIFY_SOURCE = 2 应该与 -O2 一起使用,否则不是所有的功能都可用。在这里我还没有找到一个清单,详细说明回归。我特别希望用 -Os 进行编译,因为目标是没有太多闪存的设备。
任何有关这方面的提示欢迎!
从功能测试宏的手册页()
此外,文章(2014年3月)称:
-
gcc -D_FORTIFY_SOURCE = 1仅在编译时添加检查(某些头文件必须为#include< string。 h> -
gcc -D_FORTIFY_SOURCE = 2还会在运行时添加检查(检测到的缓冲区溢出终止程序)
实质上, _FORTIFY_SOURCE 2级更安全,但是一个略微高风险的编制策略;如果您使用它,请确保您的编译代码具有非常强大的回归测试,以证明编译器没有引入任何意外的行为。
Can someone point out the difference between gcc -D_FORTIFY_SOURCE=1 and -D_FORTIFY_SOURCE=2? I guess =2 is more secure? I haven't been able to find a list which lists differences point by point.
I have also read that -D_FORTIFY_SOURCE=2 should be used with -O2, otherwise not all features would be available. Also here i haven't found a list which would specify the regressions in detail. I would especially be interested to compile with -Os as the target is a device with not so much flash memory.
Any hints on where this is documented welcome!
From the manual page for the Feature Test Macros (man 7 feature_test_macros)
Moreover, the article Enhance application security with FORTIFY_SOURCE (March 2014) says:
gcc -D_FORTIFY_SOURCE=1adds checks at compile-time only (some headers are necessary as#include <string.h>)gcc -D_FORTIFY_SOURCE=2also adds checks at run-time (detected buffer overflow terminates the program)
Essentially, _FORTIFY_SOURCE level 2 is more secure, but is a slightly riskier compilation strategy; if you use it, make sure you have very strong regression tests for your compiled code to prove the compiler hasn't introduced any unexpected behaviour.
这篇关于gcc -D_FORTIFY_SOURCE = 1和-D_FORTIFY_SOURCE = 2之间的差异的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!