Binary Hardening

Purpose

Guide agents through enabling and verifying binary security mitigations: checksec analysis, compiler and linker hardening flags (RELRO, PIE, stack canaries, FORTIFY_SOURCE, CFI), hardware shadow stack, and seccomp-bpf syscall filtering for defense-in-depth.

Triggers

• "How do I harden my binary against exploits?"
• "How do I check what security mitigations my binary has?"
• "What does checksec output mean?"
• "How do I enable RELRO, PIE, and stack canaries?"
• "How do I use seccomp to restrict syscalls?"
• "How do I enable CFI (control flow integrity)?"

Workflow

1. Analyze existing binary with checksec

# Install checksec
pip install checksec.py   # or: apt install checksec

# Check a binary
checksec --file=./mybinary
checksec --file=/usr/bin/ssh

# Output example
# RELRO          STACK CANARY   NX    PIE    RPATH  RUNPATH  Symbols  FORTIFY  Fortified  Fortifiable  FILE
# Full RELRO     Canary found   NX    PIE    No RPATH  No RUNPATH  No Symbols  Yes   6   10   ./mybinary

# Check all binaries in a directory
checksec --dir=/usr/bin

Protection	Good value	Concern
RELRO	Full RELRO	Partial / No RELRO
Stack Canary	Canary found	No canary
NX	NX enabled	NX disabled
PIE	PIE enabled	No PIE
FORTIFY	Yes	No

2. Hardening compiler and linker flags

# Full hardened build (GCC or Clang)
CFLAGS="-O2 -pipe \
  -fstack-protector-strong \
  -fstack-clash-protection \
  -fcf-protection \
  -D_FORTIFY_SOURCE=3 \
  -D_GLIBCXX_ASSERTIONS \
  -fPIE \
  -Wformat -Wformat-security -Werror=format-security"

LDFLAGS="-pie \
  -Wl,-z,relro \
  -Wl,-z,now \
  -Wl,-z,noexecstack \
  -Wl,-z,separate-code"

gcc ${CFLAGS} -o prog main.c ${LDFLAGS}

Flag reference:

Flag	Protection	Notes
-fstack-protector-strong	Stack canary	Stronger than -fstack-protector
-fstack-clash-protection	Stack clash	Prevents huge stack allocations
-fcf-protection	Intel CET (IBT+SHSTK)	x86 hardware CFI (kernel+CPU required)
-D_FORTIFY_SOURCE=2	Buffer overflow checks	Adds bounds checks to string/mem functions
-D_FORTIFY_SOURCE=3	Enhanced FORTIFY	GCC ≥12, Clang ≥12
-fPIE + -pie	PIE/ASLR	Position independent executable
-Wl,-z,relro	Partial RELRO	Makes GOT read-only before main
-Wl,-z,now	Full RELRO	Resolves all PLT at startup → GOT fully RO
-Wl,-z,noexecstack	NX stack	Marks stack non-executable

3. Control Flow Integrity (CFI)

Clang's CFI prevents calling virtual functions through wrong types (vtable CFI) and indirect calls to mismatched functions:

# Clang CFI — requires LTO and visibility
clang -fsanitize=cfi -fvisibility=hidden -flto \
      -O2 -fPIE -pie main.cpp -o prog

# Specific CFI checks
clang -fsanitize=cfi-vcall          # virtual call type check
clang -fsanitize=cfi-icall          # indirect call type check
clang -fsanitize=cfi-derived-cast   # derived-to-base cast
clang -fsanitize=cfi-unrelated-cast # unrelated type cast

# Cross-DSO CFI (across shared libraries — more complex)
clang -fsanitize=cfi -fsanitize-cfi-cross-dso -flto -fPIC -shared

# Microsoft CFG (Windows equivalent)
cl /guard:cf prog.c
link /guard:cf prog.obj

4. Stack canaries in depth

# GCC canary options
-fno-stack-protector       # disabled
-fstack-protector          # protect functions with alloca or buffers > 8 bytes
-fstack-protector-strong   # protect functions with local arrays/addresses taken
-fstack-protector-all      # protect all functions (slowest, most complete)

# Verify canary presence
objdump -d prog | grep -A5 "__stack_chk"
readelf -s prog | grep "stack_chk"

5. FORTIFY_SOURCE

FORTIFY_SOURCE wraps unsafe libc functions (memcpy, strcpy, sprintf) with bounds-checked versions when the buffer size can be determined at compile time:

# Level 2 (GCC/Clang default for hardened builds)
-D_FORTIFY_SOURCE=2
# Runtime check: abort() on overflow

# Level 3 (GCC ≥12, catches more cases)
-D_FORTIFY_SOURCE=3
# Adds dynamic buffer size tracking for more coverage

# Check FORTIFY coverage
objdump -d prog | grep "__.*_chk"     # fortified variants
checksec --file=prog | grep FORTIFY

6. seccomp-bpf syscall filtering

#include <seccomp.h>

void apply_seccomp_filter(void) {
    scmp_filter_ctx ctx;

    // Default: kill process on any non-allowlisted syscall
    ctx = seccomp_init(SCMP_ACT_KILL_PROCESS);

    // Allowlist needed syscalls
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0);

    // Apply filter (irreversible after this point)
    seccomp_load(ctx);
    seccomp_release(ctx);
}

// Call early in main(), after all setup
int main(void) {
    // ... initialization ...
    apply_seccomp_filter();
    // ... restricted operation ...
}

# Test seccomp filter with strace
strace -e trace=all ./prog 2>&1 | grep "killed by SIGSYS"

# Profile syscalls to build allowlist
strace -c ./prog    # count all syscalls used

7. Shadow stack (Intel CET / Hardware SHSTK)

# Enable on supported x86 hardware (Intel Tiger Lake+, kernel ≥6.6)
# -fcf-protection=full enables both IBT and SHSTK
clang -fcf-protection=full -O2 -o prog main.c

# Check CET support in binary
readelf -n prog | grep "NT_GNU_PROPERTY"
objdump -d prog | grep "endbr64"   # IBT end-branch instructions

# Kernel support
cat /proc/cpuinfo | grep shstk     # CPU support

For the full hardening flags reference, see references/hardening-flags.md.

Related skills

• Use skills/runtimes/sanitizers for ASan/UBSan during development
• Use skills/observability/ebpf for seccomp-bpf program writing with libbpf
• Use skills/rust/rust-security for Rust's memory-safety hardening approach
• Use skills/binaries/elf-inspection to verify mitigations in ELF binaries