GCC's Stack Protector Option and Higher CPU Usage

Question

Does anyone know if GCC's -fstack-protector will cause a program to use a significantly larger amount of CPU cycles? The description here mentions

-fstack-protector Emit extra code to check for buffer overflows, such as stack smashing attacks. This is done by adding a guard variable to functions with vulnerable objects. This includes functions that call alloca, and functions with buffers larger than 8 bytes. The guards are initialized when a function is entered and then checked when the function exits. If a guard check fails, an error message is printed and the program exits.

Also, is this any better than writing code at the start of functions that check buffer pointers and sizes?

Answer 1

It should not cause a significant increase in CPU use. As the description states, stack protection involves putting a particular value on the stack at function entry and validating that it hasn't changed at function exit. Typically functions do a lot more than writing and reading one value, so this should not constitute significant overhead.

Stack protection should be used in conjunction with writing your code correctly. It can't catch every mistake and it can be worked around by attackers, but since it is automatically applied to every function it can help detect accidental or intentional overflows sooner.