| name | binary-hardening |
| description | Binary hardening skill for security-hardened C/C++ builds. Use when enabling RELRO, PIE, stack canaries, FORTIFY_SOURCE, CFI sanitizers, shadow stack, or seccomp-bpf syscall filtering. Covers checksec analysis, compiler and linker flags for hardened builds, and NSA/CISA-recommended mitigations. Activates on queries about binary hardening, checksec, RELRO, PIE, stack canaries, FORTIFY_SOURCE, CFI, shadow stack, or seccomp. |
Binary Hardening
Purpose
Guide agents through enabling and verifying binary security mitigations: checksec analysis, compiler and linker hardening flags (RELRO, PIE, stack canaries, FORTIFY_SOURCE, CFI), hardware shadow stack, and seccomp-bpf syscall filtering for defense-in-depth.
Triggers
- "How do I harden my binary against exploits?"
- "How do I check what security mitigations my binary has?"
- "What does checksec output mean?"
- "How do I enable RELRO, PIE, and stack canaries?"
- "How do I use seccomp to restrict syscalls?"
- "How do I enable CFI (control flow integrity)?"
Workflow
1. Analyze existing binary with checksec
pip install checksec.py
checksec --file=./mybinary
checksec --file=/usr/bin/ssh
checksec --dir=/usr/bin
| Protection | Good value | Concern |
|---|
| RELRO | Full RELRO | Partial / No RELRO |
| Stack Canary | Canary found | No canary |
| NX | NX enabled | NX disabled |
| PIE | PIE enabled | No PIE |
| FORTIFY | Yes | No |
2. Hardening compiler and linker flags
CFLAGS="-O2 -pipe \
-fstack-protector-strong \
-fstack-clash-protection \
-fcf-protection \
-D_FORTIFY_SOURCE=3 \
-D_GLIBCXX_ASSERTIONS \
-fPIE \
-Wformat -Wformat-security -Werror=format-security"
LDFLAGS="-pie \
-Wl,-z,relro \
-Wl,-z,now \
-Wl,-z,noexecstack \
-Wl,-z,separate-code"
gcc ${CFLAGS} -o prog main.c ${LDFLAGS}
Flag reference:
| Flag | Protection | Notes |
|---|
-fstack-protector-strong | Stack canary | Stronger than -fstack-protector |
-fstack-clash-protection | Stack clash | Prevents huge stack allocations |
-fcf-protection | Intel CET (IBT+SHSTK) | x86 hardware CFI (kernel+CPU required) |
-D_FORTIFY_SOURCE=2 | Buffer overflow checks | Adds bounds checks to string/mem functions |
-D_FORTIFY_SOURCE=3 | Enhanced FORTIFY | GCC ≥12, Clang ≥12 |
-fPIE + -pie | PIE/ASLR | Position independent executable |
-Wl,-z,relro | Partial RELRO | Makes GOT read-only before main |
-Wl,-z,now | Full RELRO | Resolves all PLT at startup → GOT fully RO |
-Wl,-z,noexecstack | NX stack | Marks stack non-executable |
3. Control Flow Integrity (CFI)
Clang's CFI prevents calling virtual functions through wrong types (vtable CFI) and indirect calls to mismatched functions:
clang -fsanitize=cfi -fvisibility=hidden -flto \
-O2 -fPIE -pie main.cpp -o prog
clang -fsanitize=cfi-vcall
clang -fsanitize=cfi-icall
clang -fsanitize=cfi-derived-cast
clang -fsanitize=cfi-unrelated-cast
clang -fsanitize=cfi -fsanitize-cfi-cross-dso -flto -fPIC -shared
cl /guard:cf prog.c
link /guard:cf prog.obj
4. Stack canaries in depth
-fno-stack-protector
-fstack-protector
-fstack-protector-strong
-fstack-protector-all
objdump -d prog | grep -A5 "__stack_chk"
readelf -s prog | grep "stack_chk"
5. FORTIFY_SOURCE
FORTIFY_SOURCE wraps unsafe libc functions (memcpy, strcpy, sprintf) with bounds-checked versions when the buffer size can be determined at compile time:
-D_FORTIFY_SOURCE=2
-D_FORTIFY_SOURCE=3
objdump -d prog | grep "__.*_chk"
checksec --file=prog | grep FORTIFY
6. seccomp-bpf syscall filtering
#include <seccomp.h>
void apply_seccomp_filter(void) {
scmp_filter_ctx ctx;
ctx = seccomp_init(SCMP_ACT_KILL_PROCESS);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0);
seccomp_load(ctx);
seccomp_release(ctx);
}
int main(void) {
apply_seccomp_filter();
}
strace -e trace=all ./prog 2>&1 | grep "killed by SIGSYS"
strace -c ./prog
7. Shadow stack (Intel CET / Hardware SHSTK)
clang -fcf-protection=full -O2 -o prog main.c
readelf -n prog | grep "NT_GNU_PROPERTY"
objdump -d prog | grep "endbr64"
cat /proc/cpuinfo | grep shstk
For the full hardening flags reference, see references/hardening-flags.md.
Related skills
- Use
skills/runtimes/sanitizers for ASan/UBSan during development
- Use
skills/observability/ebpf for seccomp-bpf program writing with libbpf
- Use
skills/rust/rust-security for Rust's memory-safety hardening approach
- Use
skills/binaries/elf-inspection to verify mitigations in ELF binaries