Hardening (computing)

In computer security, hardening or system hardening is usually the process of securing a system by making it a 'hard target' by reducing its attack surface vulnerabilities.^[1]^[2] The attack surface is larger when a system performs more functions; in principle a single-function system is more secure than a multipurpose one. Hardening is considered a important component of cybersecurity.^[3]

Reducing available ways of attack typically includes changing default passwords, the removal of unnecessary software, unnecessary usernames or logins, and the disabling or removal of unnecessary services. It may also involve patching vulnerabilities and switching off ancillary services that are not essential.^[4] Hardening measures can also include setting up intrusion prevention systems, disabling or restricting accounts, reducing file system permissions, using encrypted network connections and enabling host-based network security.^[5]

Binary hardening

Binary hardening is a security technique in which binary executables are analyzed and modified to protect against common exploits. Binary hardening is independent of compilers and involves the entire toolchain. For example, one binary hardening technique is to detect potential buffer overflows and to substitute the existing code with safer code. The advantage of manipulating binaries is that vulnerabilities in legacy code can be fixed automatically without the need for source code, which may be unavailable or obfuscated. Secondly, the same techniques can be applied to binaries from multiple compilers, some of which may be less secure than others.

Binary hardening often involves the non-deterministic modification of control flow and instruction addresses so as to prevent attackers from successfully reusing program code to perform exploits. Common hardening techniques are:

Buffer overflow protection
Stack overwriting protection
Position independent executables and address space layout randomization
Binary stirring (randomizing the address of basic blocks)
Pointer masking (protection against code injection)
Control flow randomization (to protect against control flow diversion)

References

^ Workman, Michael (2021-10-29). Information Security Management. Jones & Bartlett Learning. p. 240. ISBN 978-1-284-21165-8. Retrieved 2025-09-04.
^ "What Is System Hardening? – Intel". Intel. 2025-07-09. Retrieved 2025-09-04.
^ CISM, John Rittinghouse PhD; CISM, William M. Hancock PhD CISSP (2003-10-02). Cybersecurity Operations Handbook. Digital Press. p. 436-437. ISBN 978-0-08-053018-5. Retrieved 2025-09-04.
^ "Hardening". CSRC. Retrieved 2025-09-04.
^ O'Hanley, Richard; Tiller, James S. (2013-08-29). Information Security Management Handbook, Volume 7. CRC Press. ISBN 978-1-04-006148-0. Retrieved 2025-09-04.

External links

"Hardening Your Computing Assets" (PDF). at globalsecurity.org

"CIS Benchmark List". at globalsecurity.org

[n083-1] Workman, Michael (2021-10-29). Information Security Management. Jones & Bartlett Learning. p. 240. ISBN 978-1-284-21165-8. Retrieved 2025-09-04.

[e327-2] "What Is System Hardening? – Intel". Intel. 2025-07-09. Retrieved 2025-09-04.

[i451-3] CISM, John Rittinghouse PhD; CISM, William M. Hancock PhD CISSP (2003-10-02). Cybersecurity Operations Handbook. Digital Press. p. 436-437. ISBN 978-0-08-053018-5. Retrieved 2025-09-04.

[x883-4] "Hardening". CSRC. Retrieved 2025-09-04.

[n331-5] O'Hanley, Richard; Tiller, James S. (2013-08-29). Information Security Management Handbook, Volume 7. CRC Press. ISBN 978-1-04-006148-0. Retrieved 2025-09-04.

[1]

[2]

[3]

[4]

[5]

Hardening (computing)

Binary hardening

References

See also

External links