Does recompiling a binary from source code make it more secure/obscure?

Question

Using standard hardening options like PIC, Stack Protection ... does a mere recompilation make a program more secure against attacks?

You have the source code of a program, compile it two times with the same options. One of the binaries you give your attacker. Does it help him/not help him if you give him the same binary you will use or the other binary?

Reproducible builds are obviously out of question.

Before modern hardening options were used it maybe made a difference because recompilation produced a different layout but today, when the binary is loaded into memory (all?) parts are randomized anyways. So is there any point in recompiling programs from source considering build options are the same?

Answer 1

In general, modern compilers are deterministic. That is, for most sets of options, given the same inputs, they will produce the same outputs. That's why reproducible builds are even possible.

Moreover, this is the behavior you want: the compiler's job is to produce an executable or shared library that faithfully reproduces the source code when executed in object code. If it produced wildly different behavior or binaries with different security behavior when presented with the same options, that would make it hard to reason about the behavior of the code or the security of it.

So no, recompiling a binary with the same compiler and options provides no measurable difference in security. Features such as ASLR that use random addresses are handled by the dynamic linker at runtime and are therefore not baked into the binary.

Users may wish to compile source for various other reasons, though. For example, users may want to modify the code, audit the code for vulnerabilities, verify that the binary produced matches the source code, or various other reasons. Those are valuable and desirable reasons to compile from the source code even if the security properties of the binary don't change.