For a KVM hypervisor, we enable security using compiler hardening. The current generation compilers come with a variety of compile-time options to improve the security of the resulting binaries.
KVM features include the following:
- Relocation read-only (RELRO): This hardens the data section of an executable. It also has two types, Full RELRO and Partial RELRO. For QEMU, Full RELRO is the best choice. This will enable the global offset table to be read-only and place various internal data sections before the program data section in the resulting executable.
- Stack measurement: This positions values on the stack and verifies their presence to help prevent buffer overflow attacks.
- Never Execute (NX): This is also known as Data Execution ...