From ab5606cf5562589340bea8df72a0ee1b4c6e83a7 Mon Sep 17 00:00:00 2001
From: Federico Ceratto <federico.ceratto@gmail.com>
Date: Sun, 17 Jul 2016 23:24:42 +0100
Subject: [PATCH] Created Security (asciidoc)

---
 Security.asciidoc | 79 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)
 create mode 100644 Security.asciidoc

diff --git a/Security.asciidoc b/Security.asciidoc
new file mode 100644
index 0000000..aa6def3
--- /dev/null
+++ b/Security.asciidoc
@@ -0,0 +1,79 @@
+== Security
+
+:toc: right
+
+NOTE: The page is Work In Progress
+
+This page documents security aspects of Nim and best practices.
+
+Security features in the language:
+
+* No pointer arithmetic
+* http://nim-lang.org/docs/manual.html#taint-mode[Taint mode]
+* The http://nim-lang.org/docs/manual.html#effect-system[Effect system] can be used for security
+* Nim attempts to generate C code that does not rely on unsecure function/patterns (e.g. unchecked strcpy)
+* The language encourage using immutable and const values
+* Type conversions are memory-safe
+* Low-level memory access allows mlock etc
+* http://nim-lang.org/docs/manual.html#types-memory-regions[Memory regions] TODO
+
+=== Compiling with GCC on Linux
+
+Nim attempts to generate C code that does not rely on unsecure function/patterns.
+As such, some of the options listed below might be less useful than when building pure-C applications.
+
+
+All the following options enabled together:
+
+[source,bash]
+----
+--passC:"-fPIE -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -O1 -fstack-protector-all" --passL:"-fPIE -pie -z relro -z now"
+----
+
+
+==== Stack protector
+Terminate execution when the stack is being overwritten
+
+[source,bash]
+----
+nim c --passC:"-fstack-protector-all"
+----
+
+==== Protect againt fixed-size buffer overflow
+
+[source,bash]
+----
+nim c --passC:"-D_FORTIFY_SOURCE=2 -O1"
+----
+
+==== Warn on unsecure prinf usage
+
+
+[source,bash]
+----
+nim c --passC:"-Wformat -Wformat-security"
+----
+
+==== Position independent executable
+
+Enable ASLR
+
+[source,bash]
+----
+nim c --passC:"-fPIE" --passL:"-fPIE -pie"
+----
+
+==== Full RELRO
+
+Resolve dynamic symbols at startup and flag the GOT as read-only.
+
+[source,bash]
+----
+nim c --passL:"-z relro -z now"
+----
+
+
+
+=== Resources
+
+https://wiki.debian.org/Hardening