Enhanced Compiler Flags for Building Chainguard’s Guarded Images

We’re excited to announce that Chainguard Images are now built using enhanced compiler flags for C/C++ projects, thereby strengthening the foundations of Chainguard’s secure-by-default build systems. By implementing OpenSSF-recommended compiler flags for C/C++ sources in Wolfi, Chainguard helps mitigate many of the common memory safety issues in software that hackers exploit to run malicious code and attack your applications. These security and memory safety issues typically go undetected when using out-of-the-box compiler flags due to a lack of standardization and the intrinsic nature of memory un-safe languages.

With Chainguard, engineering and security teams can leverage a threat-resistant foundation to build better software while hardening their applications against common C/C++ vulnerabilities and unsafe memory usage. 

In this blog, we investigate the historical challenges of C/C++ applications and how Chainguard mitigates these risks.

Standard Compiler Flag Challenges

Historically, C/C++ applications have been highly susceptible to memory safety issues like stack-based buffer overflows and heap corruption, largely due to the design of these languages. These memory safety issues, such as buffer overflows, dereferencing a null pointer, and use-after-free errors, can have security, reliability, or performance implications.

Additionally, as a direct result of memory safety challenges, engineering and security teams are not able to effectively identify related vulnerabilities, resulting in greater risk exposure. For example, from the OpenSSF hardening guide, “a run-time attack that exploits unmitigated memory vulnerabilities can be leveraged by threat actors as the initial attack vectors that allow them to gain a presence on a system, e.g., by injecting malicious code into running programs.” Even if there isn’t a vulnerability to exploit, these issues can cause unintended runtime exceptions or behavior. In the worst case, these software weaknesses can result in significant issues like attackers running malicious code in your application.

Chainguard’s Solution: Enhanced Compiler Flags

Chainguard’s solution: implement the OpenSSF compiler hardening flags. All of our C/C++ packages are now hardened using the clang config files and gcc spec files. Enhanced compiler flag hardening ensures we mitigate stack-based buffer overflow vulnerabilities, which attackers can exploit to run malicious code (-fstack-protector-strong and -fcf-protection=full flags). Additionally, by using flags such as -D_FORTIFY_SOURCE=3, Chainguard further safeguards against unsafe memory usage. In adding the flags directly to the compiler invocations, Chainguard bypasses the need for environment variables or patching upstream build instructions. This work further secures Wolfi above and beyond other traditional Linux distributions. You can check out the rest of the flags in the OpenSSF Compiler Hardening Guide.

We are extremely grateful that Chainguard’s concerns around C/C++ toolchains are shared by the broader industry. We rely heavily on OpenSSF-provided guidance and justification for which compiler options can be used for hardening. And as we've mentioned previously, Chainugard is a member of OpenSSF, and we're excited by the standards the OpenSSF is setting for securing supply chains. It’s a big reason why Chainguard is excited to announce that we’ve implemented OpenSSF's Compiler Options Hardening Guidelines for all relevant packages.

Chainguard Images: Enhanced Compiler Flags for Safer Builds

On our mission to build Chainguard into the safe source for open source, we will make it easier to build better software by default. That means accounting for memory safety issues and remediating vulnerabilities across all the toolchains we rely on. By enabling enhanced compiler flags for C/C++ sources in Wolfi, we further harden the foundation of our secure-by-design distribution. And since Chainguard continuously rebuilds images from source, our implementation adds extra reinforcement to the safety of the guarded, minimal container images that we deliver to our customers. 

Contact us to get started with our catalog of guarded container images!