IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [compiler]

39 questions
79
votes
10 answers

Would it be good secure programming practice to overwrite a "sensitive" variable before deleting it?

Is it good secure programming practice to overwrite sensitive data stored in a variable before it is deleted (or goes out of scope)? My thought is that it would prevent a hacker from being able to read any latent data in RAM due to data-remanence. …
Jonathan
  • 3,157
  • 4
  • 26
  • 42
40
votes
3 answers

What security measure one should implement before executing user uploaded files?

I want to make a little programming puzzle on my website. There's going to be a task. The user will be asked to upload a C++ source file with their solution. The file should be compiled, run with some input and checked if it produces right output.…
Jen
  • 503
  • 4
  • 5
8
votes
1 answer

Are there any type safe languages with deterministic compilers?

This article about BIND9 concludes with the statement: The point I'm trying to make here is that BIND9 should not be exposed to the public. It has code problems that should be unacceptable in this day and age of cybersecurity. Even if it were…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
7
votes
2 answers

How do compilers detect buffer overflow?

I just started researching about security at the systems level and challenges, especially with respect to low level languages such as C/C++ and Objective-C. I have understood buffer overflow and how it works. I was playing around with it on OS X and…
user775093
  • 315
  • 1
  • 7
7
votes
2 answers

In Visual Studio, what are the risks of simply opening an untrusted project? What are the mitigations?

I'm looking at the source code of some potentially hostile code. As usual, VS 2012 is giving me the security warning: "You should only open projects from a trustworthy source" ... "ask me for every project in this solution" If I press OK,…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
5
votes
1 answer

Compiling with GCC retpoline flags

As of version 8 (later backported to 7.3), GCC has added retpoline support [0]. While I understand that it is intended[citation needed] for use in kernel patching for Spectre (ie: [1][2]), that does not prevent normal developers from using those…
esote
  • 371
  • 2
  • 12
5
votes
1 answer

How does GCC's -mmitigate-rop work?

GCC 6 has a flag, -mmitigate-rop, which compiles binaries in a way that reduces the number gadgets exploitable by ROP. The GCC documentation explaining this feature is minimal: -mmitigate-rop Try to avoid generating code sequences that contain…
forest
  • 64,616
  • 20
  • 206
  • 257
5
votes
4 answers

Should I compile as root?

When I am compiling software for local installation, what factors should I take into consideration when deciding whether to compile as root or to compile under my regular user account? ./configure make sudo make install or sudo…
joeytwiddle
  • 303
  • 3
  • 10
4
votes
2 answers

Are compiler options relevant to C# security? If so, which options?

It is normal to list some extra-secure compiler options to prevent attacks on C and C++. However, I have not found any similar recommendations for C#. Are compiler options simply not relevant to C# security? Or, are there some options which might…
MrSynAckSter
  • 2,020
  • 10
  • 16
3
votes
1 answer

code optimization and security?

My background is in compilers/code optimization, and I'm wondering whether there might be any interesting applications of extremely aggressive runtime code specialization towards improving security applications. So: suppose we have a JIT compiler…
debray
  • 133
  • 2
3
votes
1 answer

How is compiling a program from source more secure?

When downloading compiled binaries for programs it is very important to check GPG signatures, Authenticode, hashes, etc. However, I often see people who say that compiling the code from source is the most secure way. If they have read and understood…
rubberband876
  • 173
  • 5
3
votes
2 answers

Are .NET project GUID's visible when compiling?

I know if a person has a GUID from a machine that person can figure out if other guid belongs to that machine. In a .NET project (csproj and the visual studions solution file) GUIDs are generated. If i were to compile this project would the GUIDs be…
user5575
2
votes
0 answers

Does the Java version matter when compiling an Android, Amazon, or Blackberry app? (for security reasons)

I need to compile an app that will run on an Android, or Android compatible system (Android, Amazon Fire, or Blackberry). The developer documentation says that JDK 7 is needed, however there are incremental U updates available from Sun Does it…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
2
votes
1 answer

How do I compare the safety of a compiled program with optimization flag?

I would like to know how I can know which is the safest compilation line, that is: Having several compilation lines in, for example, GCC, how do I know which one is more secure? Hardening would be a good solution? What do you recommend? Does the…
sgio
  • 21
  • 3
2
votes
1 answer

Does recompiling a binary from source code make it more secure/obscure?

Using standard hardening options like PIC, Stack Protection ... does a mere recompilation make a program more secure against attacks? You have the source code of a program, compile it two times with the same options. One of the binaries you give…
plsrespond
  • 21
  • 2
1
2 3