Minimus images are built for security. One of the ways Minimus increases security is by compiling its packages using stricter compiler flags that fail builds that don’t adhere to the necessary requirements. Hardening compiler flags help to ensure the packages are better protected against common memory safety issues.

Many Minimus images are built using C/C++ components such as GCC (GNU Compiler Collection) and Clang. The hardening compiler flags ensure that apps built with Minimus images produce the most secure binaries (executables) and protect against potential attacks from memory-unsafe code.

See the OpenSSF guide for an extended discussion and in-depth reasoning about the recommended compiler flags for C/C++ sources.

Understanding the risk

Many common packages written in the C and C++ programming languages are prone to memory safety errors, including stack-based buffer overflow, heap corruption, dereferencing a null pointer, and use-after-free errors.

Memory errors are known to be a leading source for vulnerabilities. An OpenSSF report found that 70% of vulnerabilities identified by the Chrome and Microsoft teams were attributed to memory safety failures. If exploited, memory errors can allow threat actors to gain unauthorized access through runtime attacks. Hardening compiler flags are enabled in order to protect packages from such vulnerabilities and increase the overall protection of Minimus images.

Summary of OpenSSF recommendations

  • OpenSSF recommends that certain flags are always turned on to detect vulnerabilities at compile time and enable runtime protection mechanisms. For example:-Wall -Wformat
    -fstack-clash-protection -fstack-protector-strong -Wl. For the full list, refer to the OpenSSF guide.
  • The flag -fhardened is used for GCC v14.0.0 or newer to enable a pre-determined set of hardening options in GCC.
  • Production code should specifically be protected by certain flags, including: -fno-delete-null-pointer-checks -fno-strict-overflow -fno-strict-aliasing -ftrivial-auto-var-init=zero.
  • To protect against obsolete C constructs, the following flags are used:-Werror=implicit -Werror=incompatible-pointer-types -Werror=int-conversion.
  • OpenSSF also lists several scenario dependent flags that should be enabled as relevant. Minimus implements these flags as applicable. For example, the flag fcf-protection=full is used for x86_64 builds and -mbranch-protection=standard is used for amd64.

Deeper look into specific examples

Following are a few examples of flags recommended by OpenSSF and the reasoning for enabling them:

  • Minimus uses the compiler flags -fstack-protector-strong and -fcf-protection=full flagsto mitigate against stack-based buffer overflow vulnerabilities and prevent attackers from running malicious code.
  • The flag -D_FORTIFY_SOURCE=3 is used to protect against unsafe memory usage.
  • The flag -fstack-clash-protection enables runtime checks for variable-size stack allocation validity to prevent stack clash attacks and stack pointer manipulation, where attackers overwrite adjacent memory regions such as the heap, memory-mapped files, or guard pages.
  • The flags -fstack-protector-strong, -fstack-protector-all, and -fstack-protector --param=ssp-buffer-size=<n> enable runtime checks for stack-based buffer overflows. These flags mitigate stack smashing attacks and potential control-flow hijacking attacks that may lead to arbitrary code execution.

What this means for the security of apps built with Minimus images

All images offered by Minimus are built using the most stringent compiler flags to ensure that the internal packages are hardened and secure.