Binary Hardening

Purpose

Guide agents through enabling and verifying binary security mitigations: checksec analysis, compiler and linker hardening flags (RELRO, PIE, stack canaries, FORTIFY_SOURCE, CFI), hardware shadow stack, and seccomp-bpf syscall filtering for defense-in-depth.

Triggers

• "How do I harden my binary against exploits?"

• "How do I check what security mitigations my binary has?"

• "What does checksec output mean?"

• "How do I enable RELRO, PIE, and stack canaries?"

• "How do I use seccomp to restrict syscalls?"

• "How do I enable CFI (control flow integrity)?"

Workflow

1. Analyze existing binary with checksec

Install checksec

pip install checksec.py # or: apt install checksec

Check a binary

checksec --file=./mybinary checksec --file=/usr/bin/ssh

Output example

RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE

Full RELRO Canary found NX PIE No RPATH No RUNPATH No Symbols Yes 6 10 ./mybinary

Check all binaries in a directory

checksec --dir=/usr/bin

Protection Good value Concern

RELRO Full RELRO Partial / No RELRO

Stack Canary Canary found No canary

NX NX enabled NX disabled

PIE PIE enabled No PIE

FORTIFY Yes No

2. Hardening compiler and linker flags

Full hardened build (GCC or Clang)

CFLAGS="-O2 -pipe
-fstack-protector-strong
-fstack-clash-protection
-fcf-protection
-D_FORTIFY_SOURCE=3
-D_GLIBCXX_ASSERTIONS
-fPIE
-Wformat -Wformat-security -Werror=format-security"

LDFLAGS="-pie
-Wl,-z,relro
-Wl,-z,now
-Wl,-z,noexecstack
-Wl,-z,separate-code"

gcc ${CFLAGS} -o prog main.c ${LDFLAGS}

Flag reference:

Flag Protection Notes

-fstack-protector-strong

Stack canary Stronger than -fstack-protector

-fstack-clash-protection

Stack clash Prevents huge stack allocations

-fcf-protection

Intel CET (IBT+SHSTK) x86 hardware CFI (kernel+CPU required)

-D_FORTIFY_SOURCE=2

Buffer overflow checks Adds bounds checks to string/mem functions

-D_FORTIFY_SOURCE=3

Enhanced FORTIFY GCC ≥12, Clang ≥12

-fPIE

• -pie

PIE/ASLR Position independent executable

-Wl,-z,relro

Partial RELRO Makes GOT read-only before main

-Wl,-z,now

Full RELRO Resolves all PLT at startup → GOT fully RO

-Wl,-z,noexecstack

NX stack Marks stack non-executable

3. Control Flow Integrity (CFI)

Clang's CFI prevents calling virtual functions through wrong types (vtable CFI) and indirect calls to mismatched functions:

Clang CFI — requires LTO and visibility

clang -fsanitize=cfi -fvisibility=hidden -flto
-O2 -fPIE -pie main.cpp -o prog

Specific CFI checks

clang -fsanitize=cfi-vcall # virtual call type check clang -fsanitize=cfi-icall # indirect call type check clang -fsanitize=cfi-derived-cast # derived-to-base cast clang -fsanitize=cfi-unrelated-cast # unrelated type cast

Cross-DSO CFI (across shared libraries — more complex)

clang -fsanitize=cfi -fsanitize-cfi-cross-dso -flto -fPIC -shared

Microsoft CFG (Windows equivalent)

cl /guard:cf prog.c link /guard:cf prog.obj

4. Stack canaries in depth

GCC canary options

-fno-stack-protector # disabled -fstack-protector # protect functions with alloca or buffers > 8 bytes -fstack-protector-strong # protect functions with local arrays/addresses taken -fstack-protector-all # protect all functions (slowest, most complete)

Verify canary presence

objdump -d prog | grep -A5 "__stack_chk" readelf -s prog | grep "stack_chk"

5. FORTIFY_SOURCE

FORTIFY_SOURCE wraps unsafe libc functions (memcpy, strcpy, sprintf) with bounds-checked versions when the buffer size can be determined at compile time:

Level 2 (GCC/Clang default for hardened builds)

-D_FORTIFY_SOURCE=2

Runtime check: abort() on overflow

Level 3 (GCC ≥12, catches more cases)

-D_FORTIFY_SOURCE=3

Adds dynamic buffer size tracking for more coverage

Check FORTIFY coverage

objdump -d prog | grep "__.*_chk" # fortified variants checksec --file=prog | grep FORTIFY

6. seccomp-bpf syscall filtering

#include <seccomp.h>

void apply_seccomp_filter(void) { scmp_filter_ctx ctx;

// Default: kill process on any non-allowlisted syscall
ctx = seccomp_init(SCMP_ACT_KILL_PROCESS);

// Allowlist needed syscalls
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0);

// Apply filter (irreversible after this point)
seccomp_load(ctx);
seccomp_release(ctx);

}

// Call early in main(), after all setup int main(void) { // ... initialization ... apply_seccomp_filter(); // ... restricted operation ... }

Test seccomp filter with strace

strace -e trace=all ./prog 2>&1 | grep "killed by SIGSYS"

Profile syscalls to build allowlist

strace -c ./prog # count all syscalls used

7. Shadow stack (Intel CET / Hardware SHSTK)

Enable on supported x86 hardware (Intel Tiger Lake+, kernel ≥6.6)

-fcf-protection=full enables both IBT and SHSTK

clang -fcf-protection=full -O2 -o prog main.c

Check CET support in binary

readelf -n prog | grep "NT_GNU_PROPERTY" objdump -d prog | grep "endbr64" # IBT end-branch instructions

Kernel support

cat /proc/cpuinfo | grep shstk # CPU support

For the full hardening flags reference, see references/hardening-flags.md.

Related skills

• Use skills/runtimes/sanitizers for ASan/UBSan during development

• Use skills/observability/ebpf for seccomp-bpf program writing with libbpf

• Use skills/rust/rust-security for Rust's memory-safety hardening approach

• Use skills/binaries/elf-inspection to verify mitigations in ELF binaries