RELRO

Updated: October 26, 2022

The compiler can mark the relocation sections of an executable as read-only after the dynamic loader has finished loading and linking an executable. In case of a .bss or data overflow bug, RELRO (Relocation Read-Only) protects the Global Offset Table (GOT) in ELF binaries from being overwritten.

For some security vulnerabilities, full RELRO provides stronger protection than partial RELRO, which does not make the entire GOT read-only. However, full RELRO will have a performance impact on process start up.

Enable partial RELRO using the following compiler option:

-Wl,-z,relro 

Full RELRO makes the Procedure Linkage Table (PLT) as well as the .got and .dtors files read-only. To enable it, pass the following additional command line argument to the dynamic linker:

-Wl,-z,now

Full RELRO is enabled by default when you link using QNX Neutrino utilities (via the -Wl,-z,relro -Wl,-z,now linker flags).

You can use the qchecksec utility to determine whether RELRO is enabled for a binary. See the qchecksec entry in the Utilities Reference.