Binary Hardening

Purpose

Guide agents through enabling and verifying binary security mitigations: checksec analysis, compiler and linker hardening flags (RELRO, PIE, stack canaries, FORTIFY_SOURCE, CFI), hardware shadow stack, and seccomp-bpf syscall filtering for defense-in-depth.

Triggers

• "How do I harden my binary against exploits?"
• "How do I check what security mitigations my binary has?"
• "What does checksec output mean?"
• "How do I enable RELRO, PIE, and stack canaries?"
• "How do I use seccomp to restrict syscalls?"
• "How do I enable CFI (control flow integrity)?"

Workflow

1. Analyze existing binary with checksec