Skip to content

Instantly share code, notes, and snippets.

@hed0rah
Created June 28, 2026 22:44
Show Gist options
  • Select an option

  • Save hed0rah/66b8de57b6e1dea715e346f778d025d4 to your computer and use it in GitHub Desktop.

Select an option

Save hed0rah/66b8de57b6e1dea715e346f778d025d4 to your computer and use it in GitHub Desktop.
GCC security related flags reference (2026 edition)

GCC / Linux Security Flags Reference (2026)

My old fossilized reference can still be found at https://gist.github.com/hed0rah/f5c976fdc602688a0fd40288fde6d886

Modern GCC hardening reference for production builds and security testing.


Production hardening (GCC 14+)

CFLAGS="-fhardened -O2"
LDFLAGS=""

-fhardened is a bundled hardening profile intended for production use.

Typically enables:

  • -fstack-protector-strong
  • -fstack-clash-protection
  • -fcf-protection=full (x86 systems)
  • -D_FORTIFY_SOURCE=3 (falls back if required by libc)
  • -D_GLIBCXX_ASSERTIONS
  • -fPIE -pie

Notes:

  • Exact contents can vary by GCC version and target architecture.
  • Intended for GNU/Linux targets.
  • Preferred over manually assembling flag sets when available.

Manual hardening (if not using -fhardened)

CFLAGS="-O2 \
-fPIE \
-fstack-protector-strong \
-fstack-clash-protection \
-D_FORTIFY_SOURCE=3"

LDFLAGS="-pie -Wl,-z,relro,-z,now"

Memory corruption mitigations

-fstack-protector-strong

Adds stack canaries to functions considered likely attack targets:

  • Local arrays
  • Address-taken variables
  • alloca() use

Recommended balance between protection and overhead.


-fstack-protector-all

Protect every function regardless of risk profile.

Useful when policy requires complete coverage, but usually unnecessary.


-Wstack-protector

Warn if functions are not protected.


-fstack-clash-protection

Protect against stack-clash attacks where large stack growth skips over guard pages.

Low overhead and commonly enabled.


-fcf-protection=full

Enable Intel CET support where available:

  • IBT — Indirect Branch Tracking
  • SHSTK — Shadow Stack

Requirements:

  • Supported CPU
  • Kernel support
  • Userspace support

-D_FORTIFY_SOURCE=3

Adds compile-time and runtime validation for common libc functions:

Examples:

  • memcpy()
  • strcpy()
  • snprintf()
  • printf()

Requirements:

-O1

or higher optimization.

Version 3 expands coverage beyond older =2 behavior.


-Wl,-z,relro,-z,now

Enables Full RELRO

Effects:

  • Resolves symbols at startup
  • Makes relocation structures read-only
  • Prevents many GOT overwrite attacks

Position independence / ASLR

-fPIE -pie

Produces position-independent executables.

Required for executable ASLR.


Warning flags / build hygiene

These improve code quality and bug detection but are not direct exploit mitigations.

Basic warnings

-Wall -Wextra

Enables broad sets of useful warnings.

Important: -Wall does not mean "all warnings."


Conversion warnings

-Wconversion
-Wsign-conversion

Warn on implicit conversions that may lose information.


Format checking

-Wformat
-Wformat-security

Detect potentially dangerous printf() patterns.


Variable shadowing

-Wshadow

Detect accidental variable hiding.


Fail builds on warnings

-Werror

Treat warnings as errors.

Useful in CI and for preventing warning regressions.


Integer overflow handling

-ftrapv

Traps signed integer overflow.

May introduce substantial overhead because GCC can emit helper function calls.


Preferred for development

-fsanitize=signed-integer-overflow
-fsanitize-undefined-trap-on-error

Usually emits efficient inline overflow checks.


Sanitizers (development/testing only)

Do not typically enable these in production builds.

AddressSanitizer (ASan)

-fsanitize=address

Detects:

  • Heap overflows
  • Stack overflows
  • Use-after-free
  • Use-after-return
  • Double free

Typical cost:

  • ~2× memory
  • ~1.5–3× runtime

UndefinedBehaviorSanitizer (UBSan)

-fsanitize=undefined

Detects:

  • Signed overflow
  • Invalid shifts
  • Alignment violations
  • Null dereferences
  • Various undefined behavior

Can log or trap depending on configuration.


ThreadSanitizer (TSan)

-fsanitize=thread

Detects:

  • Data races

Typical cost:

  • ~5–15× runtime

Notes:

  • Cannot be combined with ASan

LeakSanitizer (LSan)

-fsanitize=leak

Detects:

  • Memory leaks

Often integrated automatically with ASan on Linux.


Optional performance/security tweaks

-fno-plt

Avoid Procedure Linkage Table stubs for external calls.

Effects:

  • Small performance gain
  • Slightly reduced attack surface

-D_GLIBCXX_ASSERTIONS

Enable additional runtime checks for:

  • STL containers
  • Iterators
  • Bounds-related issues

Low overhead and commonly worthwhile.


Suggested profiles

Production (modern GCC)

CFLAGS="-O2 -fhardened"
LDFLAGS=""

Production (manual)

CFLAGS="-O2 \
-fPIE \
-fstack-protector-strong \
-fstack-clash-protection \
-D_FORTIFY_SOURCE=3"

LDFLAGS="-pie -Wl,-z,relro,-z,now"

Debug / security testing

CFLAGS="-O1 -g \
-fsanitize=address \
-fsanitize=undefined"

LDFLAGS="-fsanitize=address \
-fsanitize=undefined"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment