Home
QNX Software Development Platform
System Security Guide
The QNX System Security Guide is intended for both system integrators who are responsible for the security of a QNX OS system and developers who want to create a QNX OS resource manager free from vulnerabilities.
Security Features for Developers
Fortified system functions
QNX OS fortified system functions are designed to detect out-of-bounds memory accesses by performing lightweight parameter validation at compile-time, runtime, or both.

QNX Momentics IDE User's Guide
QNX Software Development Platform
- Quickstart Guide
- System Architecture
  The System Architecture guide accompanies the QNX OS and is intended for both application developers and end-users.
- OS Components
- Graphics
- Programming
- System Security Guide
  The QNX System Security Guide is intended for both system integrators who are responsible for the security of a QNX OS system and developers who want to create a QNX OS resource manager free from vulnerabilities.
  - Security Matrix
    The following table describes security problems and cyberattacks and the QNX OS security features that can mitigate them.
  - Security Features Overview
  - Security Features for Developers
    - Security policies
      Security policies can make some aspects of security much easier for a developer.
    - Stack protection
      Stack cookies provide protection against stack buffer overflow on stack-allocated variables, preventing program misbehaviours.
    - RELRO
    - Compiler defenses
    - Address space layout randomization (ASLR)
      Address space layout randomization varies the location of data and instructions each time an executable is loaded.
    - Fortified system functions
      QNX OS fortified system functions are designed to detect out-of-bounds memory accesses by performing lightweight parameter validation at compile-time, runtime, or both.
    - Cryptography for developers
      QNX OS offers developers many alternatives for cryptography functions.
    - Random number generation
    - Hypervisor security
      Because the QNX hypervisor is built as an extension of the QNX OS microkernel, it inherits the security features of the microkernel itself as well as the secure execution environment the microkernel creates. It also has additional layers that are purpose built for secure virtual machine operation.
    - Writing a resource manager
      The information in this section is designed to help you create a QNX OS resource manager that does not contain vulnerabilities. It focuses on properly checking both permissions and the length and content of resource manager messages.
  - Security Features for System Integrators
  - Security Policies
  - Fortified System Functions
  - QNX Cryptography Library
    The QNX cryptography library (qcrypto library) is a generic cryptographic shim layer that provides a consistent API to the various cryptographic primitives offered by third-party libraries.
  - The devcrypto service
    The devcrypto service is a legacy system driver interface and is mainly provided for backwards compatibility.
  - Pathtrust
    The pathtrust feature prevents processes from executing untrusted code. If a process is compromised, pathtrust mitigates the threat of the system being further compromised by an attacker using chained-together exploits.
  - PAM
    Systems that need authentication can use pluggable authentication module (PAM), a configurable standard library.
  - Using mkqnximage to Display Security Features
- Utilities & Libraries
- Migrating to QNX OS 8.0
QNX Software in the Cloud
QNX Toolkit for Visual Studio Code
This User's Guide describes the QNX Toolkit for Visual Studio Code. The guide introduces you to the QNX Toolkit by explaining the QNX development environment and how to build, run, and debug your QNX OS applications and systems.
Typographical Conventions, Support, and Licensing
This section describes the typographical conventions used throughout the documentation and explains how to obtain technical support.

Fortified system functions

QNX SDP8.0QNX OS System Security GuideAPIConfiguration

QNX OS fortified system functions are designed to detect out-of-bounds memory accesses by performing lightweight parameter validation at compile-time, runtime, or both.

If a component does not currently use fortified system functions, you need to recompile it to make use of this feature.

The following example makefile excerpt illustrates how to enable the use of fortified system functions for all modules of a project via the CPPFLAGS variable:

CPPFLAGS += -D_FORTIFY_SOURCE=2

The _FORTIFY_SOURCE feature test macro is defined with a value of 2. A value of 1 or 2 enables the feature. For a description of the difference between these settings, see the Fortified System Functions chapter.
The default compiler optimization setting (-O0) does not support _FORTIFY_SOURCE. Makefiles are responsible for enabling compiler optimization. QNX recursive makefiles enable compiler optimization implicitly (either -O2 or -Os, depending on the target architecture; see Conventions for Recursive Makefiles and Directories in the QNX OS Programmer's Guide).
Although _FORTIFY_SOURCE can function with a compiler optimization setting of -O1, it might not detect as many buffer overflow anomalies as it would with a higher optimization setting. QNX recommends a setting of -Os or -Om, where m is greater than or equal to 2.

Alternatively, you can enable the use of fortified system functions by setting a shell environment variable before the make utility is invoked. For a QNX recursive makefile project, you can use CCOPTS (CXXOPTS for component written in C++). For example:

CCOPTS="-D_FORTIFY_SOURCE=2" make

For projects that don't use QNX recursive makefiles, see the project's documentation to determine the correct variable or variables to use to specify the -D_FORTIFY_SOURCE=2 option and, if necessary, a compatible compiler optimization setting. For more information, see Fortified system functions in Security Features for System Integrators.

For more information, including how to enable fortified system functions for specific source files and diagnostic messages related to the feature, see the Fortified System Functions chapter.

Page updated: May 17, 2024