Week 2:

Week 2 CPython Compiler Options Hardening:

Generated pyperformance benchmarks for current CPython baseline and for the minimum set of compiler options we are going to implement, which was suggtested by OpenSSF. Right now the minimum set of compiler options are

CFLAGS="-O2 -Wall -Wformat=2 -Wconversion -Wimplicit-fallthrough -Werror=format-security -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 -D_GLIBCXX_ASSERTIONS -fstack-clash-protection -fstack-protector-strong -fcf-protection=full -fdiagnostics-format=json"
LDFLAGS="-Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now"

We can see in general that performance is slightly worse when the compiler options are applied (see benchmark tag vs geometric mean table)

Analysis of the warnings shows that it is going to be a very manual process stepping through them to determine if there are legit security concerns. By randmoly sampling some of the warnings and investigating them I have only come across warnings that can be ignored. There are many duplicate warnings that show up while compiling. There are about 3.5k unique warnings after removing duplicates (see warning type vs. count table)

I did spend a good amount of time looking into individual warnings to better understand the CPython codebase and the state of the warnings. There are a few I mentioned in some of my notes from the week which can be viewed here https://s3.amazonaws.com/nohlson.com/week2ntoes.pdf

Next up I am going to apply additional options that I think are going to be helpful, do an analysis of warnings, and take pyperformance benchmarks and automate the whole thing so that I can put together a report so that by the end of the week we might be able to have a set of options we want to implement currently, and the tooling can be implemented to keep track of new warnings.