Brussels / 3 & 4 February 2024


Compiler Options Hardening for C and C++

C and C++ are consistently the preferred languages for systems programming, embedded systems, and various performance-critical applications. C and C++ are also susceptible to various defects, such as memory-safety issues, that account for a significant portion of security vulnerabilities in C and C++ software. Addressing the memory-safety challenge has recently received new focus as leading cybersecurity organizations from various countries have collectively emphasized the significant risks posed by memory-safety issues.

With the ubiquitous use of C and C++ in the embedded device, industrial controls, and IoT space, the chances of removing and replacing C and C++ are virtually nil. To improve software to be more memory-safe, a series of techniques will need to be undertaken to gradually evolve the quality and security of the code:

  • migration to memory-safe alternatives, such as Rust, especially for critical software
  • easier to use tooling for debugging, diagnostics and application security testing
  • pro-active vulnerability mitigation and prevention in software though the use of compiler-based binary hardening mechanisms

In November 2023, the Open Source Security Foundation (OpenSSF) published the Compiler Options Hardening Guide for C and C++ that is focused on helping developers make informed choices regarding compiler options to harden their software against prevalent software defects. Compiler flags are powerful tools that can significantly enhance the security of C and C++ code without requiring expensive refactoring or rewriting in newer, more memory-safe languages. Many such compiler features are also useful for discovering memory safety issues during debugging and testing.

In this talk, Thomas will give an introduction to the OpenSSF Compiler Options Hardening Guide for C and C++. He will talk about how the guide came into existence in the OpenSSF, its current structure and future extensions. This talk particularly intends to actively invite feedback and call for collaboration.


Thomas Nyman