teaclave-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From din...@apache.org
Subject [incubator-teaclave-sgx-sdk] branch v1.1.1-testing updated: Update makefiles for LVI mitigation; tweak dockerfiles;
Date Sun, 22 Mar 2020 21:15:24 GMT
This is an automated email from the ASF dual-hosted git repository.

dingyu pushed a commit to branch v1.1.1-testing
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave-sgx-sdk.git


The following commit(s) were added to refs/heads/v1.1.1-testing by this push:
     new 058507c  Update makefiles for LVI mitigation; tweak dockerfiles;
058507c is described below

commit 058507caae4b4fe9899f628815b48a01268191b2
Author: Yu Ding <dingelish@gmail.com>
AuthorDate: Sun Mar 22 14:15:09 2020 -0700

    Update makefiles for LVI mitigation; tweak dockerfiles;
---
 buildenv.mk                                        |  68 +++++-
 compiler-rt/Makefile                               |   8 +-
 dockerfile/01_gcc_8.sh                             | 229 ++-------------------
 dockerfile/02_binutils.sh                          |   7 +-
 dockerfile/03_sdk.sh                               |   5 +-
 dockerfile/Dockerfile.1604.nightly                 |   3 +
 dockerfile/Dockerfile.1804.nightly                 |  84 ++------
 ...1804.nightly => Dockerfile.1804.unsafe.nightly} |   0
 dockerfile/Dockerfile.centos7.nightly              |  26 +++
 samplecode/backtrace/Makefile                      |  21 +-
 samplecode/backtrace/enclave/Makefile              |   6 +
 samplecode/crypto/Makefile                         |  21 +-
 samplecode/crypto/enclave/Makefile                 |   6 +
 samplecode/db-proxy/db-proxy/Makefile              |  18 +-
 samplecode/db-proxy/db-proxy/enclave/Makefile      |   6 +
 samplecode/file/Makefile                           |  20 +-
 samplecode/file/enclave/Makefile                   |   6 +
 samplecode/hello-regex/Makefile                    |  21 +-
 samplecode/hello-regex/enclave/Makefile            |   6 +
 samplecode/hello-rust-vscode-debug/Makefile        |  18 +-
 .../hello-rust-vscode-debug/enclave/Makefile       |   6 +
 samplecode/hello-rust/Makefile                     |  18 +-
 samplecode/hello-rust/enclave/Makefile             |   6 +
 samplecode/helloworld/Makefile                     |  21 +-
 samplecode/helloworld/enclave/Makefile             |   6 +
 samplecode/http_req/Makefile                       |  17 +-
 samplecode/http_req/enclave/Makefile               |   6 +
 samplecode/hugemem/Makefile                        |  21 +-
 samplecode/hugemem/enclave/Makefile                |   6 +
 samplecode/kvdb-memdb/Makefile                     |  18 +-
 samplecode/kvdb-memdb/enclave/Makefile             |   6 +
 samplecode/localattestation/Makefile               |  20 +-
 samplecode/localattestation/enclave1/Makefile      |   6 +
 samplecode/localattestation/enclave2/Makefile      |   6 +
 samplecode/localattestation/enclave3/Makefile      |   6 +
 samplecode/logger/Makefile                         |  18 +-
 samplecode/logger/enclave/Makefile                 |   6 +
 samplecode/machine-learning/Makefile               |  18 +-
 samplecode/machine-learning/enclave/Makefile       |   6 +
 samplecode/mio/client/Makefile                     |  17 +-
 samplecode/mio/client/enclave/Makefile             |   6 +
 samplecode/mio/server/Makefile                     |  18 +-
 samplecode/mio/server/enclave/Makefile             |   6 +
 samplecode/mutual-ra/Makefile                      |  18 +-
 samplecode/mutual-ra/enclave/Makefile              |   6 +
 samplecode/net2/Makefile                           |  18 +-
 samplecode/net2/enclave/Makefile                   |   6 +
 samplecode/pcl/encrypted-hello/Makefile            |  17 +-
 samplecode/pcl/encrypted-hello/enclave/Makefile    |   6 +
 samplecode/pcl/pcl-seal/Makefile                   |  18 +-
 samplecode/pcl/pcl-seal/enclave/Makefile           |   6 +
 samplecode/prost-protobuf/Makefile                 |  18 +-
 samplecode/prost-protobuf/enclave/Makefile         |   6 +
 samplecode/protobuf/Makefile                       |  18 +-
 samplecode/protobuf/enclave/Makefile               |   6 +
 samplecode/psi/SMCClient/Makefile                  |  13 +-
 samplecode/psi/SMCServer/Makefile                  |  25 +--
 samplecode/psi/SMCServer/enclave/Makefile          |   6 +
 samplecode/remoteattestation/Application/Makefile  |  25 ++-
 .../remoteattestation/Application/enclave/Makefile |   6 +
 .../remoteattestation/ServiceProvider/Makefile     |  11 +-
 samplecode/sealeddata/Makefile                     |  20 +-
 samplecode/sealeddata/enclave/Makefile             |   6 +
 samplecode/secretsharing/Makefile                  |  21 +-
 samplecode/secretsharing/enclave/Makefile          |   6 +
 samplecode/serialize/Makefile                      |  20 +-
 samplecode/serialize/enclave/Makefile              |   6 +
 samplecode/sgx-cov/Makefile                        |  17 +-
 samplecode/sgx-cov/enclave/Makefile                |   6 +
 samplecode/static-data-distribution/Makefile       |  18 +-
 .../static-data-distribution/enclave/Makefile      |   6 +
 samplecode/switchless/Makefile                     |  18 +-
 samplecode/switchless/enclave/Makefile             |   6 +
 samplecode/tcmalloc/Makefile                       |  22 +-
 samplecode/tcmalloc/enclave/Makefile               |   6 +
 samplecode/thread/Makefile                         |  24 +--
 samplecode/thread/enclave/Makefile                 |   6 +
 samplecode/tls/tlsclient/Makefile                  |  17 +-
 samplecode/tls/tlsclient/enclave/Makefile          |   6 +
 samplecode/tls/tlsserver/Makefile                  |  18 +-
 samplecode/tls/tlsserver/enclave/Makefile          |   6 +
 samplecode/tr-mpc/tr-mpc-server/Makefile           |  18 +-
 samplecode/tr-mpc/tr-mpc-server/enclave/Makefile   |   6 +
 samplecode/ue-ra/ue-ra-server/Makefile             |  17 +-
 samplecode/ue-ra/ue-ra-server/enclave/Makefile     |   6 +
 samplecode/unit-test/Makefile                      |  18 +-
 samplecode/unit-test/enclave/Makefile              |   6 +
 samplecode/wasmi/Makefile                          |  18 +-
 samplecode/wasmi/enclave/Makefile                  |   6 +
 samplecode/zlib-lazy-static-sample/Makefile        |  18 +-
 .../zlib-lazy-static-sample/enclave/Makefile       |   6 +
 sgx_backtrace_sys/build.rs                         |  27 +++
 sgx_unwind/build.rs                                |  24 ++-
 93 files changed, 817 insertions(+), 680 deletions(-)

diff --git a/buildenv.mk b/buildenv.mk
index 6c9a7b6..0fa6a39 100644
--- a/buildenv.mk
+++ b/buildenv.mk
@@ -31,14 +31,9 @@ INCLUDE :=
 COMMON_FLAGS += -fstack-protector
 
 ifdef DEBUG
-    COMMON_FLAGS += -ggdb -DDEBUG -UNDEBUG
-    COMMON_FLAGS += -DSE_DEBUG_LEVEL=SE_TRACE_DEBUG
+    COMMON_FLAGS += -O0 -g -DDEBUG -UNDEBUG
 else
-    COMMON_FLAGS += -O2   -UDEBUG -DNDEBUG
-endif
-
-ifdef SE_SIM
-    COMMON_FLAGS += -DSE_SIM
+    COMMON_FLAGS += -O2 -D_FORTIFY_SOURCE=2 -UDEBUG -DNDEBUG
 endif
 
 # turn on compiler warnings as much as possible
@@ -101,6 +96,58 @@ endif
 CFLAGS   += $(COMMON_FLAGS)
 CXXFLAGS += $(COMMON_FLAGS)
 
+# Enable the security flags
+COMMON_LDFLAGS := -Wl,-z,relro,-z,now,-z,noexecstack
+
+# mitigation options
+MITIGATION_INDIRECT ?= 0
+MITIGATION_RET ?= 0
+MITIGATION_C ?= 0
+MITIGATION_ASM ?= 0
+MITIGATION_AFTERLOAD ?= 0
+MITIGATION_LIB_PATH :=
+
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+    MITIGATION_C := 1
+    MITIGATION_ASM := 1
+    MITIGATION_INDIRECT := 1
+    MITIGATION_RET := 1
+    MITIGATION_AFTERLOAD := 1
+    MITIGATION_LIB_PATH := cve_2020_0551_load
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+    MITIGATION_C := 1
+    MITIGATION_ASM := 1
+    MITIGATION_INDIRECT := 1
+    MITIGATION_RET := 1
+    MITIGATION_AFTERLOAD := 0
+    MITIGATION_LIB_PATH := cve_2020_0551_cf
+endif
+
+MITIGATION_CFLAGS :=
+MITIGATION_ASFLAGS :=
+ifeq ($(MITIGATION_C), 1)
+ifeq ($(MITIGATION_INDIRECT), 1)
+    MITIGATION_CFLAGS += -mindirect-branch-register
+endif
+ifeq ($(MITIGATION_RET), 1)
+    MITIGATION_CFLAGS += -mfunction-return=thunk-extern
+endif
+endif
+
+ifeq ($(MITIGATION_ASM), 1)
+    MITIGATION_ASFLAGS += -fno-plt
+ifeq ($(MITIGATION_AFTERLOAD), 1)
+    MITIGATION_ASFLAGS += -Wa,-mlfence-after-load=yes
+else
+    MITIGATION_ASFLAGS += -Wa,-mlfence-before-indirect-branch=register
+endif
+ifeq ($(MITIGATION_RET), 1)
+    MITIGATION_ASFLAGS += -Wa,-mlfence-before-ret=not
+endif
+endif
+
+MITIGATION_CFLAGS += $(MITIGATION_ASFLAGS)
+
 # Compiler and linker options for an Enclave
 #
 # We are using '--export-dynamic' so that `g_global_data_sim' etc.
@@ -109,10 +156,13 @@ CXXFLAGS += $(COMMON_FLAGS)
 # When `pie' is enabled, the linker (both BFD and Gold) under Ubuntu 14.04
 # will hide all symbols from dynamic symbol table even if they are marked
 # as `global' in the LD version script.
-ENCLAVE_CFLAGS   = -ffreestanding -nostdinc -fvisibility=hidden -fpie
+ENCLAVE_CFLAGS   = -ffreestanding -nostdinc -fvisibility=hidden -fpie -fno-strict-overflow -fno-delete-null-pointer-checks
 ENCLAVE_CXXFLAGS = $(ENCLAVE_CFLAGS) -nostdinc++
-ENCLAVE_LDFLAGS  = -Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
+ENCLAVE_LDFLAGS  = $(COMMON_LDFLAGS) -Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
                    -Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
                    -Wl,--gc-sections \
                    -Wl,--defsym,__ImageBase=0
 
+ENCLAVE_CFLAGS += $(MITIGATION_CFLAGS)
+ENCLAVE_ASFLAGS = $(MITIGATION_ASFLAGS)
+
diff --git a/compiler-rt/Makefile b/compiler-rt/Makefile
index 8a55b5c..e62d491 100644
--- a/compiler-rt/Makefile
+++ b/compiler-rt/Makefile
@@ -17,9 +17,9 @@
 
 include ../buildenv.mk
 COMMON_DIR := ../common
-CFLAGS   += $(ENCLAVE_CFLAGS)
-CFLAGS   += -O2
-CPPFLAGS += $(ADDED_INC)                \
+RT_CFLAGS := $(CFLAGS)
+RT_CFLAGS += $(ENCLAVE_CFLAGS)
+RT_CFLAGS += $(ADDED_INC)  \
             -I$(COMMON_DIR)/inc/
 
 SRCS := $(wildcard *.c)
@@ -34,7 +34,7 @@ $(TARGET): $(OBJS)
 	$(AR) rcsD $@ $^
 
 $(OBJS): %.o: %.c
-	$(CC) -c $(CFLAGS) $(CPPFLAGS) $< -o $@
+	$(CC) -c $(RT_CFLAGS) $< -o $@
 
 .PHONY: clean
 clean:
diff --git a/dockerfile/01_gcc_8.sh b/dockerfile/01_gcc_8.sh
index e742782..be21a75 100644
--- a/dockerfile/01_gcc_8.sh
+++ b/dockerfile/01_gcc_8.sh
@@ -1,208 +1,21 @@
-set -ex;
-apt-get update && apt-get install -y --no-install-recommends \
-		ca-certificates \
-		curl \
-		netbase \
-		wget
-
-if ! command -v gpg > /dev/null; then \
-	apt-get install -y --no-install-recommends \
-		gnupg \
-		dirmngr
-fi
-
-apt-get install -y --no-install-recommends \
-		git \
-		mercurial \
-		openssh-client \
-		subversion \
-		\
-		procps
-
-apt-get install -y --no-install-recommends \
-		autoconf \
-		automake \
-		bzip2 \
-		dpkg-dev \
-		file \
-		g++ \
-		gcc \
-		imagemagick \
-		libbz2-dev \
-		libc6-dev \
-		libcurl4-openssl-dev \
-		libdb-dev \
-		libevent-dev \
-		libffi-dev \
-		libgdbm-dev \
-		libglib2.0-dev \
-		libgmp-dev \
-		libjpeg-dev \
-		libkrb5-dev \
-		liblzma-dev \
-		libmagickcore-dev \
-		libmagickwand-dev \
-		libmaxminddb-dev \
-		libncurses5-dev \
-		libncursesw5-dev \
-		libpng-dev \
-		libpq-dev \
-		libreadline-dev \
-		libsqlite3-dev \
-		libssl-dev \
-		libtool \
-		libwebp-dev \
-		libxml2-dev \
-		libxslt-dev \
-		libyaml-dev \
-		make \
-		patch \
-		unzip \
-		xz-utils \
-		zlib1g-dev \
-	;
-
-# gcc
-if ! command -v gpg > /dev/null; then \
-	apt-get install -y --no-install-recommends \
-		gnupg \
-		dirmngr \
-	; \
-	rm -rf /var/lib/apt/lists/*; \
-fi
-
-## https://gcc.gnu.org/mirrors.html
-#ENV GPG_KEYS \
-## 1024D/745C015A 1999-11-09 Gerald Pfeifer <gerald@pfeifer.com>
-#	B215C1633BCA0477615F1B35A5B3A004745C015A \
-## 1024D/B75C61B8 2003-04-10 Mark Mitchell <mark@codesourcery.com>
-#	B3C42148A44E6983B3E4CC0793FA9B1AB75C61B8 \
-## 1024D/902C9419 2004-12-06 Gabriel Dos Reis <gdr@acm.org>
-#	90AA470469D3965A87A5DCB494D03953902C9419 \
-## 1024D/F71EDF1C 2000-02-13 Joseph Samuel Myers <jsm@polyomino.org.uk>
-#	80F98B2E0DAB6C8281BDF541A7C8C3B2F71EDF1C \
-## 2048R/FC26A641 2005-09-13 Richard Guenther <richard.guenther@gmail.com>
-#	7F74F97C103468EE5D750B583AB00996FC26A641 \
-## 1024D/C3C45C06 2004-04-21 Jakub Jelinek <jakub@redhat.com>
-#	33C235A34C46AA3FFB293709A328C3A2C3C45C06
-
-export GPG_KEYS="B215C1633BCA0477615F1B35A5B3A004745C015A
-                 B3C42148A44E6983B3E4CC0793FA9B1AB75C61B8
-                 90AA470469D3965A87A5DCB494D03953902C9419
-                 80F98B2E0DAB6C8281BDF541A7C8C3B2F71EDF1C
-                 7F74F97C103468EE5D750B583AB00996FC26A641
-                 33C235A34C46AA3FFB293709A328C3A2C3C45C06"
-for key in $GPG_KEYS; do \
-	gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; \
-done
-
-# https://gcc.gnu.org/mirrors.html
-export GCC_MIRRORS="
-		https://ftpmirror.gnu.org/gcc
-		https://bigsearcher.com/mirrors/gcc/releases
-		https://mirrors-usa.go-parts.com/gcc/releases
-		https://mirrors.concertpass.com/gcc/releases
-		http://www.netgull.com/gcc/releases"
-
-# Last Modified: 2020-03-04
-export GCC_VERSION=8.4.0
-# Docker EOL: 2021-09-04
-
-savedAptMark="$(apt-mark showmanual)"; \
-apt-get update; \
-apt-get install -y --no-install-recommends \
-	dpkg-dev \
-	flex \
-; \
-rm -r /var/lib/apt/lists/*; \
-\
-_fetch() { \
-	local fetch="$1"; shift; \
-	local file="$1"; shift; \
-	for mirror in $GCC_MIRRORS; do \
-		if curl -fL "$mirror/$fetch" -o "$file"; then \
-			return 0; \
-		fi; \
-	done; \
-	echo >&2 "error: failed to download '$fetch' from several mirrors"; \
-	return 1; \
-}; \
-\
-_fetch "gcc-$GCC_VERSION/gcc-$GCC_VERSION.tar.xz.sig" 'gcc.tar.xz.sig' \
-	|| _fetch "$GCC_VERSION/gcc-$GCC_VERSION.tar.xz.sig"; \
-_fetch "gcc-$GCC_VERSION/gcc-$GCC_VERSION.tar.xz" 'gcc.tar.xz' \
-	|| _fetch "$GCC_VERSION/gcc-$GCC_VERSION.tar.xz" 'gcc.tar.xz'; \
-gpg --batch --verify gcc.tar.xz.sig gcc.tar.xz; \
-mkdir -p /usr/src/gcc; \
-tar -xf gcc.tar.xz -C /usr/src/gcc --strip-components=1; \
-rm gcc.tar.xz*; \
-\
-cd /usr/src/gcc; \
-\
-# "download_prerequisites" pulls down a bunch of tarballs and extracts them,
-# but then leaves the tarballs themselves lying around
-./contrib/download_prerequisites; \
-{ rm *.tar.* || true; }; \
-\
-# explicitly update autoconf config.guess and config.sub so they support more arches/libcs
-for f in config.guess config.sub; do \
-	wget -O "$f" "https://git.savannah.gnu.org/cgit/config.git/plain/$f?id=7d3d27baf8107b630586c962c057e22149653deb"; \
-# find any more (shallow) copies of the file we grabbed and update them too
-	find -mindepth 2 -name "$f" -exec cp -v "$f" '{}' ';'; \
-done; \
-\
-dir="$(mktemp -d)"; \
-cd "$dir"; \
-\
-extraConfigureArgs=''; \
-dpkgArch="$(dpkg --print-architecture)"; \
-case "$dpkgArch" in \
-# with-arch: https://anonscm.debian.org/viewvc/gcccvs/branches/sid/gcc-6/debian/rules2?revision=9450&view=markup#l491
-# with-float: https://anonscm.debian.org/viewvc/gcccvs/branches/sid/gcc-6/debian/rules.defs?revision=9487&view=markup#l416
-# with-mode: https://anonscm.debian.org/viewvc/gcccvs/branches/sid/gcc-6/debian/rules.defs?revision=9487&view=markup#l376
-	armel) \
-		extraConfigureArgs="$extraConfigureArgs --with-arch=armv4t --with-float=soft" \
-		;; \
-	armhf) \
-		extraConfigureArgs="$extraConfigureArgs --with-arch=armv7-a --with-float=hard --with-fpu=vfpv3-d16 --with-mode=thumb" \
-		;; \
-	\
-# with-arch-32: https://anonscm.debian.org/viewvc/gcccvs/branches/sid/gcc-6/debian/rules2?revision=9450&view=markup#l590
-	i386) \
-		osVersionID="$(set -e; . /etc/os-release; echo "$VERSION_ID")"; \
-		case "$osVersionID" in \
-			8) extraConfigureArgs="$extraConfigureArgs --with-arch-32=i586" ;; \
-			*) extraConfigureArgs="$extraConfigureArgs --with-arch-32=i686" ;; \
-		esac; \
-# TODO for some reason, libgo + i386 fails on https://github.com/gcc-mirror/gcc/blob/gcc-7_1_0-release/libgo/runtime/proc.c#L154
-# "error unknown case for SETCONTEXT_CLOBBERS_TLS"
-		;; \
-esac; \
-\
-gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
-/usr/src/gcc/configure \
-	--build="$gnuArch" \
-	--disable-multilib \
-	--enable-languages=c,c++,fortran,go \
-	$extraConfigureArgs \
-; \
-make -j "$(nproc)"; \
-make install-strip; \
-\
-cd ..; \
-\
-rm -rf "$dir" /usr/src/gcc; \
-\
-apt-mark auto '.*' > /dev/null; \
-[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; \
-apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false
-
-# gcc installs .so files in /usr/local/lib64...
-echo '/usr/local/lib64' > /etc/ld.so.conf.d/local-lib64.conf; \
-ldconfig -v
-
-# ensure that alternatives are pointing to the new compiler and that old one is no longer used
-dpkg-divert --divert /usr/bin/gcc.orig --rename /usr/bin/gcc; \
-dpkg-divert --divert /usr/bin/g++.orig --rename /usr/bin/g++; \
-dpkg-divert --divert /usr/bin/gfortran.orig --rename /usr/bin/gfortran; \
-update-alternatives --install /usr/bin/cc cc /usr/local/bin/gcc 999
+cd /root && \
+curl --output gcc.tar.gz http://ftp.mirrorservice.org/sites/sourceware.org/pub/gcc/releases/gcc-8.4.0/gcc-8.4.0.tar.gz && \
+tar xzf gcc.tar.gz && \
+cd gcc-8.4.0 && \
+./contrib/download_prerequisites && \
+mkdir build && \
+cd build && \
+../configure --disable-multilib --enable-languages=c,c++,fortran,go && \
+make -j $(nproc) && \
+make install && \
+cd /root && \
+git clone git://sourceware.org/git/binutils-gdb.git && \
+cd binutils-gdb && \
+git checkout fe26d3a34a223a86fddb59ed70a621a13940a088 && \
+mkdir build && \
+cd build && \
+../configure --prefix=/usr --enable-gold --enable-ld=default --enable-plugins --enable-shared --disable-werror --enable-64-bit-bfd --with-system-zlib && \
+make -j "$(nproc)" && \
+LD_LIBRARY_PATH=/usr/lib make install && \
+cd /root && \
+rm -rf gcc-8.4.0
diff --git a/dockerfile/02_binutils.sh b/dockerfile/02_binutils.sh
index af8f56b..80d0f63 100644
--- a/dockerfile/02_binutils.sh
+++ b/dockerfile/02_binutils.sh
@@ -4,7 +4,6 @@
 #cp external/toolset/* /usr/bin/
 
 cd /root && \
-apt-get update && apt-get install -y bison texinfo flex && \
 git clone git://sourceware.org/git/binutils-gdb.git && \
 cd binutils-gdb && \
 git checkout fe26d3a34a223a86fddb59ed70a621a13940a088 && \
@@ -12,8 +11,8 @@ mkdir build && \
 cd build && \
 ../configure --prefix=/usr --enable-gold --enable-ld=default --enable-plugins --enable-shared --disable-werror --enable-64-bit-bfd --with-system-zlib && \
 make -j "$(nproc)" && \
-make install && \
+LD_LIBRARY_PATH=/usr/lib make install && \
 cd /root && \
 rm -rf binutils-gdb && \
-rm -rf /var/lib/apt/lists/* && \
-rm -rf /var/cache/apt/archives/*
+echo 'export LD_LIBRARY_PATH=/usr/lib:$LD_LIBRARY_PATH' >> /root/.bashrc && \
+echo 'export LD_RUN_PATH=/usr/lib:$LD_RUN_PATH' 
diff --git a/dockerfile/03_sdk.sh b/dockerfile/03_sdk.sh
index 6dd4bdc..5299e78 100644
--- a/dockerfile/03_sdk.sh
+++ b/dockerfile/03_sdk.sh
@@ -1,4 +1,3 @@
-apt-get update && apt-get install -y cmake ocaml && \
 cd /root && \
 git clone --recursive https://github.com/intel/linux-sgx && \
 cd linux-sgx && \
@@ -8,6 +7,4 @@ make -j "$(nproc)" sdk_install_pkg && \
 echo -e 'no\n/opt' | ./linux/installer/bin/sgx_linux_x64_sdk_2.9.100.2.bin && \
 echo 'source /opt/sgxsdk/environment' >> /root/.bashrc && \
 cd /root && \
-rm -rf /root/linux-sgx && \
-rm -rf /var/lib/apt/lists/* && \
-rm -rf /var/cache/apt/archives/*
+rm -rf /root/linux-sgx
diff --git a/dockerfile/Dockerfile.1604.nightly b/dockerfile/Dockerfile.1604.nightly
index ee2cb8b..80494ef 100644
--- a/dockerfile/Dockerfile.1604.nightly
+++ b/dockerfile/Dockerfile.1604.nightly
@@ -1,5 +1,8 @@
 FROM ubuntu:16.04
 
+RUN apt-get update && apt-get install -y ca-certificates curl wget gnupg git build-essential libtool dpkg-dev flex bison texinfo libiptcdata0-dev && \
+    rm -rf /var/lib/apt/lists/*
+
 ADD 01_gcc_8.sh /root
 RUN bash /root/01_gcc_8.sh
 
diff --git a/dockerfile/Dockerfile.1804.nightly b/dockerfile/Dockerfile.1804.nightly
index e3dc98a..59df51c 100644
--- a/dockerfile/Dockerfile.1804.nightly
+++ b/dockerfile/Dockerfile.1804.nightly
@@ -1,72 +1,30 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License..
+FROM ubuntu:16.04
 
+RUN apt-get update && apt-get install -y autoconf automake bison build-essential cmake curl dpkg-dev expect flex gcc-8 gdb git git-core gnupg kmod libboost-system-dev libboost-thread-dev libcurl4-openssl-dev libiptcdata0-dev libjsoncpp-dev liblog4cpp5-dev libprotobuf-c0-dev libprotobuf-dev libssl-dev libtool libxml2-dev ocaml ocamlbuild pkg-config protobuf-compiler python sudo systemd-sysv texinfo uuid-dev vim wget && \
+    rm -rf /var/lib/apt/lists/*
 
-FROM ubuntu:18.04
-MAINTAINER Yu Ding
+#18.04 does have gcc-8
+#ADD 01_gcc_8.sh /root
+#RUN bash /root/01_gcc_8.sh
 
-ENV DEBIAN_FRONTEND=noninteractive
+ADD 02_binutils.sh /root
+RUN bash /root/02_binutils.sh
+
+ADD 03_sdk.sh /root
+RUN bash /root/03_sdk.sh
+    
+# Sixth, PSW
+
+ENV CODENAME        bionic
 ENV VERSION         2.9.100.2-bionic1
-ENV rust_toolchain  nightly-2020-03-12
-ENV sdk_bin         https://download.01.org/intel-sgx/sgx-linux/2.9/distro/ubuntu18.04-server/sgx_linux_x64_sdk_2.9.100.2.bin
 
-RUN apt-get update && \
-    apt-get install -y gnupg2 apt-transport-https ca-certificates curl software-properties-common build-essential automake autoconf libtool protobuf-compiler libprotobuf-dev git-core libprotobuf-c0-dev cmake pkg-config expect gdb && \
-    curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add - && \
-    add-apt-repository "deb https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main" && \
-    apt-get update && \
-    apt-get install -y \
-        libsgx-aesm-launch-plugin=$VERSION \
-        libsgx-enclave-common=$VERSION \
-        libsgx-enclave-common-dbgsym=$VERSION \
-        libsgx-enclave-common-dev=$VERSION \
-        libsgx-epid=$VERSION \
-        libsgx-epid-dbgsym=$VERSION \
-        libsgx-epid-dev=$VERSION \
-        libsgx-launch=$VERSION \
-        libsgx-launch-dbgsym=$VERSION \
-        libsgx-launch-dev=$VERSION \
-        libsgx-quote-ex=$VERSION \
-        libsgx-quote-ex-dbgsym=$VERSION \
-        libsgx-quote-ex-dev=$VERSION \
-        libsgx-uae-service=$VERSION \
-        libsgx-uae-service-dbgsym=$VERSION \
-        libsgx-urts=$VERSION \
-        libsgx-urts-dbgsym=$VERSION && \
-    rm -rf /var/lib/apt/lists/* && \
-    rm -rf /var/cache/apt/archives/* && \
-    mkdir /var/run/aesmd && \
-    mkdir /etc/init
+ADD 04_psw.sh /root
+RUN bash /root/04_psw.sh
 
-RUN curl 'https://static.rust-lang.org/rustup/dist/x86_64-unknown-linux-gnu/rustup-init' --output /root/rustup-init && \
-    chmod +x /root/rustup-init && \
-    echo '1' | /root/rustup-init --default-toolchain ${rust_toolchain} && \
-    echo 'source /root/.cargo/env' >> /root/.bashrc && \
-    /root/.cargo/bin/rustup component add rust-src rls rust-analysis clippy rustfmt && \
-    /root/.cargo/bin/cargo install xargo && \
-    rm /root/rustup-init && rm -rf /root/.cargo/registry && rm -rf /root/.cargo/git
+# Seventh, Rust
 
-RUN mkdir /root/sgx && \
-    curl --output /root/sgx/sdk.bin ${sdk_bin} && \
-    cd /root/sgx && \
-    chmod +x /root/sgx/sdk.bin && \
-    echo -e 'no\n/opt' | /root/sgx/sdk.bin && \
-    echo 'source /opt/sgxsdk/environment' >> /root/.bashrc && \
-    echo 'alias start-aesm="LD_LIBRARY_PATH=/opt/intel/sgx-aesm-service/aesm /opt/intel/sgx-aesm-service/aesm/aesm_service"' >> /root/.bashrc && \
-    rm -rf /root/sgx*
+ENV rust_toolchain  nightly-2020-03-12
+ADD 05_rust.sh /root
+RUN bash /root/05_rust.sh
 
 WORKDIR /root
diff --git a/dockerfile/Dockerfile.1804.nightly b/dockerfile/Dockerfile.1804.unsafe.nightly
similarity index 100%
copy from dockerfile/Dockerfile.1804.nightly
copy to dockerfile/Dockerfile.1804.unsafe.nightly
diff --git a/dockerfile/Dockerfile.centos7.nightly b/dockerfile/Dockerfile.centos7.nightly
new file mode 100644
index 0000000..b917db0
--- /dev/null
+++ b/dockerfile/Dockerfile.centos7.nightly
@@ -0,0 +1,26 @@
+FROM centos:7
+
+RUN yum-builddep gcc binutils -y && \
+    yum install -y bzip2 && \
+    yum groupinstall -y "Development Tools" && \
+    cd /root && \
+    curl --output gcc.tar.gz http://ftp.mirrorservice.org/sites/sourceware.org/pub/gcc/releases/gcc-8.4.0/gcc-8.4.0.tar.gz && \
+    tar xzf gcc.tar.gz && \
+    cd gcc-8.4.0 && \
+    ./contrib/download_prerequisites && \
+    mkdir build && \
+    cd build && \
+    ../configure --disable-multilib --enable-languages=c,c++,fortran,go && \
+    make -j $(nproc) && \
+    make install && \
+    cd /root && \
+    git clone git://sourceware.org/git/binutils-gdb.git && \
+    cd binutils-gdb && \
+    git checkout fe26d3a34a223a86fddb59ed70a621a13940a088 && \
+    mkdir build && \
+    cd build && \
+    ../configure --prefix=/usr --enable-gold --enable-ld=default --enable-plugins --enable-shared --disable-werror --enable-64-bit-bfd --with-system-zlib && \
+     make -j "$(nproc)" && \
+     LD_LIBRARY_PATH=/usr/lib make install && \
+     cd /root && \
+     rm -rf gcc-8.4.0 binutils-gdb
diff --git a/samplecode/backtrace/Makefile b/samplecode/backtrace/Makefile
index 21c34a6..bed146c 100644
--- a/samplecode/backtrace/Makefile
+++ b/samplecode/backtrace/Makefile
@@ -22,6 +22,9 @@ SGX_MODE ?= HW
 SGX_ARCH ?= x64
 SGX_DEBUG ?= 1
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -46,13 +49,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -75,7 +79,7 @@ endif
 App_C_Files := $(filter-out ./app/Enclave_u.c, $(wildcard ./app/*.c))
 App_Include_Paths := -I ./app -I./include -I$(SGX_SDK)/include -I$(CUSTOM_EDL_PATH)
 App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes $(App_Include_Paths)
-App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -L$(CUSTOM_LIBRARY_PATH) -l$(Urts_Library_Name) -lpthread
+App_Link_Flags := -L$(SGX_LIBRARY_PATH) -L$(CUSTOM_LIBRARY_PATH) -l$(Urts_Library_Name) -lpthread
 ifneq ($(SGX_MODE), HW)
 	App_Link_Flags += -lsgx_uae_service_sim
 else
@@ -106,16 +110,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
-
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -178,4 +178,3 @@ sgx_ustdc:
 clean:
 	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) $(RustEnclave_C_Objects) $(App_C_Objects) enclave/*_t.* app/*_u.* lib/*.a
 	@cd enclave && cargo clean && rm -f Cargo.lock
-
diff --git a/samplecode/backtrace/enclave/Makefile b/samplecode/backtrace/enclave/Makefile
index 15751b2..8b3fa00 100644
--- a/samplecode/backtrace/enclave/Makefile
+++ b/samplecode/backtrace/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/crypto/Makefile b/samplecode/crypto/Makefile
index f3ab5db..7e5ca1e 100644
--- a/samplecode/crypto/Makefile
+++ b/samplecode/crypto/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -74,7 +78,7 @@ endif
 App_C_Files := $(filter-out ./app/Enclave_u.c, $(wildcard ./app/*.c))
 App_Include_Paths := -I ./app -I./include -I$(SGX_SDK)/include -I$(CUSTOM_EDL_PATH)
 App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes $(App_Include_Paths)
-App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -L$(CUSTOM_LIBRARY_PATH) -l$(Urts_Library_Name) -lpthread
+App_Link_Flags := -L$(SGX_LIBRARY_PATH) -L$(CUSTOM_LIBRARY_PATH) -l$(Urts_Library_Name) -lpthread
 ifneq ($(SGX_MODE), HW)
 	App_Link_Flags += -lsgx_uae_service_sim
 else
@@ -105,16 +109,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
-
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -177,4 +177,3 @@ sgx_ustdc:
 clean:
 	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) $(RustEnclave_C_Objects) $(App_C_Objects) enclave/*_t.* app/*_u.* lib/*.a
 	@cd enclave && cargo clean && rm -f Cargo.lock
-
diff --git a/samplecode/crypto/enclave/Makefile b/samplecode/crypto/enclave/Makefile
index 0369869..75a1edc 100644
--- a/samplecode/crypto/enclave/Makefile
+++ b/samplecode/crypto/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/db-proxy/db-proxy/Makefile b/samplecode/db-proxy/db-proxy/Makefile
index d7abebc..ed7981e 100644
--- a/samplecode/db-proxy/db-proxy/Makefile
+++ b/samplecode/db-proxy/db-proxy/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -92,15 +96,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -158,4 +159,3 @@ clean:
 	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) enclave/*_t.* app/*_u.* lib/*.a
 	@cd enclave && cargo clean && rm -f Cargo.lock
 	@cd app && cargo clean && rm -f Cargo.lock
-
diff --git a/samplecode/db-proxy/db-proxy/enclave/Makefile b/samplecode/db-proxy/db-proxy/enclave/Makefile
index cf074bd..bb4d1ee 100644
--- a/samplecode/db-proxy/db-proxy/enclave/Makefile
+++ b/samplecode/db-proxy/db-proxy/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/file/Makefile b/samplecode/file/Makefile
index 32dac96..c8eccd8 100644
--- a/samplecode/file/Makefile
+++ b/samplecode/file/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -74,7 +78,7 @@ endif
 App_C_Files := $(filter-out ./app/Enclave_u.c, $(wildcard ./app/*.c))
 App_Include_Paths := -I ./app -I./include -I$(SGX_SDK)/include -I$(CUSTOM_EDL_PATH)
 App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes $(App_Include_Paths)
-App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -L$(CUSTOM_LIBRARY_PATH) -l$(Urts_Library_Name) -lpthread
+App_Link_Flags := -L$(SGX_LIBRARY_PATH) -L$(CUSTOM_LIBRARY_PATH) -l$(Urts_Library_Name) -lpthread
 ifneq ($(SGX_MODE), HW)
 	App_Link_Flags += -lsgx_uae_service_sim
 else
@@ -106,16 +110,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -lsgx_tcxx -l$(Crypto_Library_Name) -l$(Service_Library_Name) -l$(ProtectedFs_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
-
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
diff --git a/samplecode/file/enclave/Makefile b/samplecode/file/enclave/Makefile
index 2457e35..17157ca 100644
--- a/samplecode/file/enclave/Makefile
+++ b/samplecode/file/enclave/Makefile
@@ -19,6 +19,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/hello-regex/Makefile b/samplecode/hello-regex/Makefile
index fb0b649..651f37c 100644
--- a/samplecode/hello-regex/Makefile
+++ b/samplecode/hello-regex/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -74,7 +78,7 @@ endif
 App_C_Files := $(filter-out ./app/Enclave_u.c, $(wildcard ./app/*.c))
 App_Include_Paths := -I ./app -I./include -I$(SGX_SDK)/include -I$(CUSTOM_EDL_PATH)
 App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes $(App_Include_Paths)
-App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -L$(CUSTOM_LIBRARY_PATH) -l$(Urts_Library_Name) -lpthread
+App_Link_Flags := -L$(SGX_LIBRARY_PATH) -L$(CUSTOM_LIBRARY_PATH) -l$(Urts_Library_Name) -lpthread
 ifneq ($(SGX_MODE), HW)
 	App_Link_Flags += -lsgx_uae_service_sim
 else
@@ -105,16 +109,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
-
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -177,4 +177,3 @@ sgx_ustdc:
 clean:
 	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) $(RustEnclave_C_Objects) $(App_C_Objects) enclave/*_t.* app/*_u.* lib/*.a
 	@cd enclave && cargo clean && rm -f Cargo.lock
-
diff --git a/samplecode/hello-regex/enclave/Makefile b/samplecode/hello-regex/enclave/Makefile
index fbf28c1..97cb058 100644
--- a/samplecode/hello-regex/enclave/Makefile
+++ b/samplecode/hello-regex/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/hello-rust-vscode-debug/Makefile b/samplecode/hello-rust-vscode-debug/Makefile
index 46b1e73..5b6cfe5 100644
--- a/samplecode/hello-rust-vscode-debug/Makefile
+++ b/samplecode/hello-rust-vscode-debug/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -51,6 +54,8 @@ else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -90,15 +95,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -161,5 +163,3 @@ compiler-rt:
 clean:
 	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) enclave/*_t.* app/*_u.* lib/*.a
 	@cargo clean && rm -f Cargo.lock
-
-
diff --git a/samplecode/hello-rust-vscode-debug/enclave/Makefile b/samplecode/hello-rust-vscode-debug/enclave/Makefile
index 2ed45a0..39a3514 100644
--- a/samplecode/hello-rust-vscode-debug/enclave/Makefile
+++ b/samplecode/hello-rust-vscode-debug/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/hello-rust/Makefile b/samplecode/hello-rust/Makefile
index 54997be..0ff67a5 100644
--- a/samplecode/hello-rust/Makefile
+++ b/samplecode/hello-rust/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -92,15 +96,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -160,4 +161,3 @@ clean:
 	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) enclave/*_t.* app/*_u.* lib/*.a
 	@cd enclave && cargo clean && rm -f Cargo.lock
 	@cd app && cargo clean && rm -f Cargo.lock
-
diff --git a/samplecode/hello-rust/enclave/Makefile b/samplecode/hello-rust/enclave/Makefile
index 85ccbf8..93935cf 100644
--- a/samplecode/hello-rust/enclave/Makefile
+++ b/samplecode/hello-rust/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/helloworld/Makefile b/samplecode/helloworld/Makefile
index fb0b649..651f37c 100644
--- a/samplecode/helloworld/Makefile
+++ b/samplecode/helloworld/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -74,7 +78,7 @@ endif
 App_C_Files := $(filter-out ./app/Enclave_u.c, $(wildcard ./app/*.c))
 App_Include_Paths := -I ./app -I./include -I$(SGX_SDK)/include -I$(CUSTOM_EDL_PATH)
 App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes $(App_Include_Paths)
-App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -L$(CUSTOM_LIBRARY_PATH) -l$(Urts_Library_Name) -lpthread
+App_Link_Flags := -L$(SGX_LIBRARY_PATH) -L$(CUSTOM_LIBRARY_PATH) -l$(Urts_Library_Name) -lpthread
 ifneq ($(SGX_MODE), HW)
 	App_Link_Flags += -lsgx_uae_service_sim
 else
@@ -105,16 +109,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
-
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -177,4 +177,3 @@ sgx_ustdc:
 clean:
 	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) $(RustEnclave_C_Objects) $(App_C_Objects) enclave/*_t.* app/*_u.* lib/*.a
 	@cd enclave && cargo clean && rm -f Cargo.lock
-
diff --git a/samplecode/helloworld/enclave/Makefile b/samplecode/helloworld/enclave/Makefile
index 85ccbf8..93935cf 100644
--- a/samplecode/helloworld/enclave/Makefile
+++ b/samplecode/helloworld/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/http_req/Makefile b/samplecode/http_req/Makefile
index d5757f9..7460ecc 100644
--- a/samplecode/http_req/Makefile
+++ b/samplecode/http_req/Makefile
@@ -4,6 +4,9 @@ SGX_SDK ?= /opt/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -28,7 +31,6 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 	Rust_target_dir := debug
@@ -38,6 +40,8 @@ else
 	Rust_target_dir := release
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -78,15 +82,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I $(CUSTOM_EDL_PATH) -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_COMMON_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
diff --git a/samplecode/http_req/enclave/Makefile b/samplecode/http_req/enclave/Makefile
index 7fdcf96..35068f5 100644
--- a/samplecode/http_req/enclave/Makefile
+++ b/samplecode/http_req/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/hugemem/Makefile b/samplecode/hugemem/Makefile
index 8471bbc..d02a9bc 100644
--- a/samplecode/hugemem/Makefile
+++ b/samplecode/hugemem/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -74,7 +78,7 @@ endif
 App_C_Files := $(filter-out ./app/Enclave_u.c, $(wildcard ./app/*.c))
 App_Include_Paths := -I ./app -I./include -I$(SGX_SDK)/include -I$(CUSTOM_EDL_PATH)
 App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes $(App_Include_Paths)
-App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -L$(CUSTOM_LIBRARY_PATH) -l$(Urts_Library_Name) -lpthread
+App_Link_Flags := -L$(SGX_LIBRARY_PATH) -L$(CUSTOM_LIBRARY_PATH) -l$(Urts_Library_Name) -lpthread
 ifneq ($(SGX_MODE), HW)
 	App_Link_Flags += -lsgx_uae_service_sim
 else
@@ -105,16 +109,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
-
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -176,4 +176,3 @@ sgx_ustdc:
 clean:
 	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) $(RustEnclave_C_Objects) $(App_C_Objects) enclave/*_t.* app/*_u.* lib/*.a
 	@cd enclave && cargo clean && rm -f Cargo.lock
-
diff --git a/samplecode/hugemem/enclave/Makefile b/samplecode/hugemem/enclave/Makefile
index 499f3f5..0759d1b 100644
--- a/samplecode/hugemem/enclave/Makefile
+++ b/samplecode/hugemem/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/kvdb-memdb/Makefile b/samplecode/kvdb-memdb/Makefile
index db5fcd4..529bca8 100644
--- a/samplecode/kvdb-memdb/Makefile
+++ b/samplecode/kvdb-memdb/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -92,15 +96,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -160,4 +161,3 @@ clean:
 	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) enclave/*_t.* app/*_u.* lib/*.a
 	@cd enclave && cargo clean && rm -f Cargo.lock
 	@cd app && cargo clean && rm -f Cargo.lock
-
diff --git a/samplecode/kvdb-memdb/enclave/Makefile b/samplecode/kvdb-memdb/enclave/Makefile
index 85ccbf8..93935cf 100644
--- a/samplecode/kvdb-memdb/enclave/Makefile
+++ b/samplecode/kvdb-memdb/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/localattestation/Makefile b/samplecode/localattestation/Makefile
index cba8625..6fa2110 100644
--- a/samplecode/localattestation/Makefile
+++ b/samplecode/localattestation/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -74,7 +78,7 @@ endif
 App_Cpp_Files := $(wildcard ./app/*.cpp)
 App_Include_Paths := -I ./app -I./include -I$(SGX_SDK)/include -I./attestation -I./Include -I$(CUSTOM_EDL_PATH)
 App_Cpp_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes $(App_Include_Paths)
-App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -L$(CUSTOM_LIBRARY_PATH) -l$(Urts_Library_Name) -lpthread
+App_Link_Flags := -L$(SGX_LIBRARY_PATH) -L$(CUSTOM_LIBRARY_PATH) -l$(Urts_Library_Name) -lpthread
 ifneq ($(SGX_MODE), HW)
 	App_Link_Flags += -lsgx_uae_service_sim
 else
@@ -105,16 +109,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Crypto_Library_Name) -l$(Service_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave1/Enclave1.lds
-
+	-Wl,--version-script=enclave1/Enclave1.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave1_Name := enclave1/enclave1.so
 RustEnclave2_Name := enclave2/enclave2.so
diff --git a/samplecode/localattestation/enclave1/Makefile b/samplecode/localattestation/enclave1/Makefile
index d489b94..fef12c7 100644
--- a/samplecode/localattestation/enclave1/Makefile
+++ b/samplecode/localattestation/enclave1/Makefile
@@ -19,6 +19,12 @@ Rust_Enclave_Name := libenclave1.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/localattestation/enclave2/Makefile b/samplecode/localattestation/enclave2/Makefile
index 629a460..94d0788 100644
--- a/samplecode/localattestation/enclave2/Makefile
+++ b/samplecode/localattestation/enclave2/Makefile
@@ -19,6 +19,12 @@ Rust_Enclave_Name := libenclave2.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/localattestation/enclave3/Makefile b/samplecode/localattestation/enclave3/Makefile
index 140038f..59c6066 100644
--- a/samplecode/localattestation/enclave3/Makefile
+++ b/samplecode/localattestation/enclave3/Makefile
@@ -19,6 +19,12 @@ Rust_Enclave_Name := libenclave3.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/logger/Makefile b/samplecode/logger/Makefile
index 54997be..0ff67a5 100644
--- a/samplecode/logger/Makefile
+++ b/samplecode/logger/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -92,15 +96,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -160,4 +161,3 @@ clean:
 	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) enclave/*_t.* app/*_u.* lib/*.a
 	@cd enclave && cargo clean && rm -f Cargo.lock
 	@cd app && cargo clean && rm -f Cargo.lock
-
diff --git a/samplecode/logger/enclave/Makefile b/samplecode/logger/enclave/Makefile
index de190d8..995de67 100644
--- a/samplecode/logger/enclave/Makefile
+++ b/samplecode/logger/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/machine-learning/Makefile b/samplecode/machine-learning/Makefile
index 7ad3f8c..7c06fe7 100644
--- a/samplecode/machine-learning/Makefile
+++ b/samplecode/machine-learning/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -91,15 +95,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -159,4 +160,3 @@ clean:
 	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) enclave/*_t.* app/*_u.* lib/*.a
 	@cd enclave && cargo clean && rm -f Cargo.lock
 	@cd app && cargo clean && rm -f Cargo.lock
-
diff --git a/samplecode/machine-learning/enclave/Makefile b/samplecode/machine-learning/enclave/Makefile
index aa249da..1f7109b 100644
--- a/samplecode/machine-learning/enclave/Makefile
+++ b/samplecode/machine-learning/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/mio/client/Makefile b/samplecode/mio/client/Makefile
index a5a3b96..8519e1d 100644
--- a/samplecode/mio/client/Makefile
+++ b/samplecode/mio/client/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -91,15 +95,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
diff --git a/samplecode/mio/client/enclave/Makefile b/samplecode/mio/client/enclave/Makefile
index fda17d4..6fed573 100644
--- a/samplecode/mio/client/enclave/Makefile
+++ b/samplecode/mio/client/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/mio/server/Makefile b/samplecode/mio/server/Makefile
index e8fd12d..8519e1d 100644
--- a/samplecode/mio/server/Makefile
+++ b/samplecode/mio/server/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -91,15 +95,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -159,4 +160,3 @@ clean:
 	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) enclave/*_t.* app/*_u.* lib/*.a
 	@cd enclave && cargo clean && rm -f Cargo.lock
 	@cd app && cargo clean && rm -f Cargo.lock
-
diff --git a/samplecode/mio/server/enclave/Makefile b/samplecode/mio/server/enclave/Makefile
index 6b0606f..839419b 100644
--- a/samplecode/mio/server/enclave/Makefile
+++ b/samplecode/mio/server/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/mutual-ra/Makefile b/samplecode/mutual-ra/Makefile
index d96b3af..4b0b16f 100644
--- a/samplecode/mutual-ra/Makefile
+++ b/samplecode/mutual-ra/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -92,15 +96,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -160,4 +161,3 @@ clean:
 	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) enclave/*_t.* app/*_u.* lib/*.a
 	@cd enclave && cargo clean && rm -f Cargo.lock
 	@cd app && cargo clean && rm -f Cargo.lock
-
diff --git a/samplecode/mutual-ra/enclave/Makefile b/samplecode/mutual-ra/enclave/Makefile
index 97dd69c..f82c202 100644
--- a/samplecode/mutual-ra/enclave/Makefile
+++ b/samplecode/mutual-ra/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/net2/Makefile b/samplecode/net2/Makefile
index 54997be..0ff67a5 100644
--- a/samplecode/net2/Makefile
+++ b/samplecode/net2/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -92,15 +96,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -160,4 +161,3 @@ clean:
 	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) enclave/*_t.* app/*_u.* lib/*.a
 	@cd enclave && cargo clean && rm -f Cargo.lock
 	@cd app && cargo clean && rm -f Cargo.lock
-
diff --git a/samplecode/net2/enclave/Makefile b/samplecode/net2/enclave/Makefile
index 85ccbf8..93935cf 100644
--- a/samplecode/net2/enclave/Makefile
+++ b/samplecode/net2/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/pcl/encrypted-hello/Makefile b/samplecode/pcl/encrypted-hello/Makefile
index a35fa77..681f250 100644
--- a/samplecode/pcl/encrypted-hello/Makefile
+++ b/samplecode/pcl/encrypted-hello/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -64,6 +67,8 @@ else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -75,7 +80,6 @@ CUSTOM_COMMON_PATH := ../../../common
 
 Enclave_EDL_Files := enclave/Enclave_t.c enclave/Enclave_t.h app/Enclave_u.c app/Enclave_u.h
 
-
 ######## Enclave Settings ########
 
 ifneq ($(SGX_MODE), HW)
@@ -94,15 +98,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Encrypted_RustEnclave_Name := $(RustEnclave_Name).enc
diff --git a/samplecode/pcl/encrypted-hello/enclave/Makefile b/samplecode/pcl/encrypted-hello/enclave/Makefile
index c52c63a..472b90d 100644
--- a/samplecode/pcl/encrypted-hello/enclave/Makefile
+++ b/samplecode/pcl/encrypted-hello/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/pcl/pcl-seal/Makefile b/samplecode/pcl/pcl-seal/Makefile
index 983f5a2..4907ca7 100644
--- a/samplecode/pcl/pcl-seal/Makefile
+++ b/samplecode/pcl/pcl-seal/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -93,15 +97,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -lsgx_tcxx -l$(Service_Library_Name) -l$(ProtectedFs_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -178,4 +179,3 @@ clean:
 	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) $(PayloadEnclave_Name) enclave/*_t.* app/*_u.* lib/*.a enclave/Payload.edl bin/prov_key.bin
 	@cd enclave && cargo clean && rm -f Cargo.lock
 	@cd app && cargo clean && rm -f Cargo.lock
-
diff --git a/samplecode/pcl/pcl-seal/enclave/Makefile b/samplecode/pcl/pcl-seal/enclave/Makefile
index 14b1b28..3d0a73a 100644
--- a/samplecode/pcl/pcl-seal/enclave/Makefile
+++ b/samplecode/pcl/pcl-seal/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/prost-protobuf/Makefile b/samplecode/prost-protobuf/Makefile
index 54997be..0ff67a5 100644
--- a/samplecode/prost-protobuf/Makefile
+++ b/samplecode/prost-protobuf/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -92,15 +96,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -160,4 +161,3 @@ clean:
 	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) enclave/*_t.* app/*_u.* lib/*.a
 	@cd enclave && cargo clean && rm -f Cargo.lock
 	@cd app && cargo clean && rm -f Cargo.lock
-
diff --git a/samplecode/prost-protobuf/enclave/Makefile b/samplecode/prost-protobuf/enclave/Makefile
index 0b1d559..4e43f6b 100644
--- a/samplecode/prost-protobuf/enclave/Makefile
+++ b/samplecode/prost-protobuf/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/protobuf/Makefile b/samplecode/protobuf/Makefile
index fb81467..813b486 100644
--- a/samplecode/protobuf/Makefile
+++ b/samplecode/protobuf/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -96,15 +100,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -171,4 +172,3 @@ clean:
 	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) enclave/*_t.* app/*_u.* lib/*.a $(Proto_RS_Files)
 	@cd enclave && cargo clean && rm -f Cargo.lock
 	@cd app && cargo clean && rm -f Cargo.lock
-
diff --git a/samplecode/protobuf/enclave/Makefile b/samplecode/protobuf/enclave/Makefile
index 0abcabd..843a59d 100644
--- a/samplecode/protobuf/enclave/Makefile
+++ b/samplecode/protobuf/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/psi/SMCClient/Makefile b/samplecode/psi/SMCClient/Makefile
index 37f6479..91a28cd 100644
--- a/samplecode/psi/SMCClient/Makefile
+++ b/samplecode/psi/SMCClient/Makefile
@@ -20,6 +20,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -54,6 +57,7 @@ ifeq ($(SUPPLIED_KEY_DERIVATION), 1)
 	SGX_COMMON_CFLAGS += -DSUPPLIED_KEY_DERIVATION
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
 
 ######## App Settings ########
 ifneq ($(SGX_MODE), HW)
@@ -84,7 +88,7 @@ else
 endif
 
 App_Cpp_Flags := $(App_C_Flags) -std=c++11 -DEnableClient
-App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -l$(Urts_Library_Name) -L. -lsgx_ukey_exchange -lpthread -lworker \
+App_Link_Flags := -L$(SGX_LIBRARY_PATH) -l$(Urts_Library_Name) -L. -lsgx_ukey_exchange -lpthread -lworker \
 -Wl,-rpath=$(CURDIR)/sample_libcrypto -Wl,-rpath=$(CURDIR) -llog4cpp -lboost_system -L/usr/lib -lssl -lcrypto -lboost_thread -lprotobuf -L /usr/local/lib -ljsoncpp -lcurl
 
 ifneq ($(SGX_MODE), HW)
@@ -97,8 +101,6 @@ App_Cpp_Objects := $(App_Cpp_Files:.cpp=.o)
 
 App_Name := app
 
-
-
 ######## Worker Settings ########
 Worker_Cpp_Files := worker/ecp.cpp ../Util/LogBase.cpp \
 worker/ias_ra.cpp ../Util/UtilityFunctions.cpp ../WebService/WebService.cpp worker/sha256.cpp worker/Worker.cpp \
@@ -109,7 +111,7 @@ Worker_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes -I$(SGX_SDK)/includ
 -I../WebService -I../Networking
 
 Worker_Cpp_Flags := $(Worker_C_Flags) -std=c++11
-Worker_Link_Flags :=  -shared $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -lsample_libcrypto -Lsample_libcrypto -llog4cpp
+Worker_Link_Flags :=  -shared -L$(SGX_LIBRARY_PATH) -lsample_libcrypto -Lsample_libcrypto -llog4cpp
 
 Worker_Cpp_Objects := $(Worker_Cpp_Files:.cpp=.o)
 
@@ -117,8 +119,6 @@ Worker_Cpp_Objects := $(Worker_Cpp_Files:.cpp=.o)
 
 all: libworker.so $(App_Name)
 
-
-
 ######## App Objects ########
 isv_app/%.o: isv_app/%.cpp
 	@$(CXX) $(App_Cpp_Flags) -c $< -o $@
@@ -160,4 +160,3 @@ clean:
 	@rm -f $(App_Name) $(Enclave_Name) $(Signed_Enclave_Name) $(App_Cpp_Objects) isv_app/isv_enclave_u.* $(Enclave_Cpp_Objects) isv_enclave/isv_enclave_t.* libworker.* $(Worker_Cpp_Objects)
 
 
-
diff --git a/samplecode/psi/SMCServer/Makefile b/samplecode/psi/SMCServer/Makefile
index 54d28b7..870a970 100644
--- a/samplecode/psi/SMCServer/Makefile
+++ b/samplecode/psi/SMCServer/Makefile
@@ -21,6 +21,9 @@ SGX_MODE = HW
 SGX_ARCH = x64
 SGX_PRERELEASE=1
 
+TOP_DIR := ../../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -46,15 +49,17 @@ endif
 endif
 
 ifeq ($(SGX_DEBUG), 1)
-        SGX_COMMON_CFLAGS += -O0 -g
+	SGX_COMMON_CFLAGS += -O0 -g
 else
-        SGX_COMMON_CFLAGS += -O2
+	SGX_COMMON_CFLAGS += -O2
 endif
 
 ifeq ($(SUPPLIED_KEY_DERIVATION), 1)
-        SGX_COMMON_CFLAGS += -DSUPPLIED_KEY_DERIVATION
+	SGX_COMMON_CFLAGS += -DSUPPLIED_KEY_DERIVATION
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -70,7 +75,6 @@ else
 	Urts_Library_Name := sgx_urts
 endif
 
-
 App_Cpp_Files := isv_app/isv_app.cpp ../Util/LogBase.cpp ../Networking/NetworkManager.cpp ../Networking/Session.cpp ../Networking/Server.cpp \
 ../Networking/Client.cpp ../Networking/NetworkManagerServer.cpp ../GoogleMessages/Messages.pb.cpp ../Networking/AbstractNetworkOps.cpp \
 ../Util/UtilityFunctions.cpp ../Enclave/Enclave.cpp ../MessageHandler/MessageHandler.cpp ../Util/Base64.cpp
@@ -93,7 +97,7 @@ else
 endif
 
 App_Cpp_Flags := $(App_C_Flags) -std=c++11 -DEnableServer
-App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -l$(Urts_Library_Name) -L. -L./lib -lsgx_ukey_exchange -lpthread -Wl,-rpath=$(CURDIR)/../sample_libcrypto -Wl,-rpath=$(CURDIR) -llog4cpp -lboost_system -lssl -lcrypto -lboost_thread -lprotobuf -L /usr/local/lib -ljsoncpp -lsgx_ustdc
+App_Link_Flags := -L$(SGX_LIBRARY_PATH) -l$(Urts_Library_Name) -L. -L./lib -lsgx_ukey_exchange -lpthread -Wl,-rpath=$(CURDIR)/../sample_libcrypto -Wl,-rpath=$(CURDIR) -llog4cpp -lboost_system -lssl -lcrypto -lboost_thread -lprotobuf -L /usr/local/lib -ljsoncpp -lsgx_ustdc
 
 ifneq ($(SGX_MODE), HW)
 	App_Link_Flags += -lsgx_uae_service_sim
@@ -122,7 +126,7 @@ ProtectedFs_Library_Name := sgx_tprotected_fs
 Enclave_Cpp_Files :=
 Enclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/crypto_px/include -I../Enclave/
 
-Enclave_C_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(Enclave_Include_Paths)
+Enclave_C_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(Enclave_Include_Paths)
 Enclave_Cpp_Flags := $(Enclave_C_Flags) -std=c++11 -nostdinc++
 
 # To generate a proper enclave, it is recommended to follow below guideline to link the trusted libraries:
@@ -132,14 +136,11 @@ Enclave_Cpp_Flags := $(Enclave_C_Flags) -std=c++11 -nostdinc++
 #       Use `--start-group' and `--end-group' to link these libraries.
 # Do NOT move the libraries linked with `--start-group' and `--end-group' within `--whole-archive' and `--no-whole-archive' options.
 # Otherwise, you may get some undesirable errors.
-Enclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+Enclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tcxx -lsgx_tstdc -l$(KeyExchange_Library_Name) -l$(Crypto_Library_Name) -l$(Service_Library_Name) -L./lib -lcompiler-rt-patch -lpsienclave -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-    -Wl,--gc-sections\
-	-Wl,--version-script=enclave/enclave.lds
+	-Wl,--version-script=enclave/enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 Enclave_Cpp_Objects := $(Enclave_Cpp_Files:.cpp=.o)
 
diff --git a/samplecode/psi/SMCServer/enclave/Makefile b/samplecode/psi/SMCServer/enclave/Makefile
index 101c0fc..94f8014 100644
--- a/samplecode/psi/SMCServer/enclave/Makefile
+++ b/samplecode/psi/SMCServer/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libpsienclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all clean
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/remoteattestation/Application/Makefile b/samplecode/remoteattestation/Application/Makefile
index 6f092a5..be7de72 100644
--- a/samplecode/remoteattestation/Application/Makefile
+++ b/samplecode/remoteattestation/Application/Makefile
@@ -21,6 +21,9 @@ SGX_MODE = HW
 SGX_ARCH = x64
 SGX_PRERELEASE=1
 
+TOP_DIR := ../../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -46,15 +49,16 @@ endif
 endif
 
 ifeq ($(SGX_DEBUG), 1)
-        SGX_COMMON_CFLAGS += -O0 -g
+	SGX_COMMON_CFLAGS += -O0 -g
 else
-        SGX_COMMON_CFLAGS += -O2
+	SGX_COMMON_CFLAGS += -O2
 endif
 
 ifeq ($(SUPPLIED_KEY_DERIVATION), 1)
-        SGX_COMMON_CFLAGS += -DSUPPLIED_KEY_DERIVATION
+	SGX_COMMON_CFLAGS += -DSUPPLIED_KEY_DERIVATION
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
 
 ######## CUSTOM Settings ########
 
@@ -71,7 +75,6 @@ else
 	Urts_Library_Name := sgx_urts
 endif
 
-
 App_Cpp_Files := isv_app/isv_app.cpp ../Util/LogBase.cpp ../Networking/NetworkManager.cpp ../Networking/Session.cpp ../Networking/Server.cpp \
 ../Networking/Client.cpp ../Networking/NetworkManagerServer.cpp ../GoogleMessages/Messages.pb.cpp ../Networking/AbstractNetworkOps.cpp \
 ../Util/UtilityFunctions.cpp ../Enclave/Enclave.cpp ../MessageHandler/MessageHandler.cpp ../Util/Base64.cpp
@@ -94,7 +97,7 @@ else
 endif
 
 App_Cpp_Flags := $(App_C_Flags) -std=c++11 -DEnableServer
-App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -l$(Urts_Library_Name) -L. -L./lib -lsgx_ukey_exchange -lpthread -Wl,-rpath=$(CURDIR)/../sample_libcrypto -Wl,-rpath=$(CURDIR) -llog4cpp -lboost_system -lssl -lcrypto -lboost_thread -lprotobuf -L /usr/local/lib -ljsoncpp -lsgx_ustdc
+App_Link_Flags := -L$(SGX_LIBRARY_PATH) -l$(Urts_Library_Name) -L. -L./lib -lsgx_ukey_exchange -lpthread -Wl,-rpath=$(CURDIR)/../sample_libcrypto -Wl,-rpath=$(CURDIR) -llog4cpp -lboost_system -lssl -lcrypto -lboost_thread -lprotobuf -L /usr/local/lib -ljsoncpp -lsgx_ustdc
 
 ifneq ($(SGX_MODE), HW)
 	App_Link_Flags += -lsgx_uae_service_sim
@@ -123,7 +126,7 @@ ProtectedFs_Library_Name := sgx_tprotected_fs
 Enclave_Cpp_Files :=
 Enclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/crypto_px/include -I../Enclave/
 
-Enclave_C_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(Enclave_Include_Paths)
+Enclave_C_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(Enclave_Include_Paths)
 Enclave_Cpp_Flags := $(Enclave_C_Flags) -std=c++11 -nostdinc++
 
 # To generate a proper enclave, it is recommended to follow below guideline to link the trusted libraries:
@@ -133,14 +136,11 @@ Enclave_Cpp_Flags := $(Enclave_C_Flags) -std=c++11 -nostdinc++
 #       Use `--start-group' and `--end-group' to link these libraries.
 # Do NOT move the libraries linked with `--start-group' and `--end-group' within `--whole-archive' and `--no-whole-archive' options.
 # Otherwise, you may get some undesirable errors.
-Enclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+Enclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tcxx -lsgx_tstdc -l$(KeyExchange_Library_Name) -l$(Crypto_Library_Name) -l$(Service_Library_Name) -L./lib -lcompiler-rt-patch -lraenclave -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-    -Wl,--gc-sections\
-	-Wl,--version-script=enclave/enclave.lds
+	-Wl,--version-script=enclave/enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 Enclave_Cpp_Objects := $(Enclave_Cpp_Files:.cpp=.o)
 
@@ -156,7 +156,6 @@ endif
 endif
 endif
 
-
 .PHONY: all run
 
 ifeq ($(Build_Mode), HW_RELEASE)
diff --git a/samplecode/remoteattestation/Application/enclave/Makefile b/samplecode/remoteattestation/Application/enclave/Makefile
index d1f9046..3690914 100644
--- a/samplecode/remoteattestation/Application/enclave/Makefile
+++ b/samplecode/remoteattestation/Application/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libraenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all clean
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/remoteattestation/ServiceProvider/Makefile b/samplecode/remoteattestation/ServiceProvider/Makefile
index 5f485fe..14d8a9e 100644
--- a/samplecode/remoteattestation/ServiceProvider/Makefile
+++ b/samplecode/remoteattestation/ServiceProvider/Makefile
@@ -20,6 +20,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= SIM
 SGX_ARCH ?= x64
 
+TOP_DIR := ../../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -54,6 +57,7 @@ ifeq ($(SUPPLIED_KEY_DERIVATION), 1)
 	SGX_COMMON_CFLAGS += -DSUPPLIED_KEY_DERIVATION
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
 
 ######## App Settings ########
 ifneq ($(SGX_MODE), HW)
@@ -84,7 +88,7 @@ else
 endif
 
 App_Cpp_Flags := $(App_C_Flags) -std=c++11 -DEnableClient
-App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -l$(Urts_Library_Name) -L. -lsgx_ukey_exchange -lpthread -lservice_provider \
+App_Link_Flags := -L$(SGX_LIBRARY_PATH) -l$(Urts_Library_Name) -L. -lsgx_ukey_exchange -lpthread -lservice_provider \
 -Wl,-rpath=$(CURDIR)/sample_libcrypto -Wl,-rpath=$(CURDIR) -llog4cpp -lboost_system -L/usr/lib -lssl -lcrypto -lboost_thread -lprotobuf -L /usr/local/lib -ljsoncpp -lcurl
 
 ifneq ($(SGX_MODE), HW)
@@ -98,7 +102,6 @@ App_Cpp_Objects := $(App_Cpp_Files:.cpp=.o)
 App_Name := app
 
 
-
 ######## Service Provider Settings ########
 ServiceProvider_Cpp_Files := service_provider/ecp.cpp ../Util/LogBase.cpp \
 service_provider/ias_ra.cpp ../Util/UtilityFunctions.cpp ../WebService/WebService.cpp service_provider/ServiceProvider.cpp
@@ -149,7 +152,6 @@ $(App_Name): $(App_Cpp_Objects)
 	@echo "LINK =>  $@"
 
 
-
 ######## Service Provider Objects ########
 service_provider/%.o: service_provider/%.cpp
 	@$(CXX) $(ServiceProvider_Cpp_Flags) -c $< -o $@
@@ -163,6 +165,3 @@ libservice_provider.so: $(ServiceProvider_Cpp_Objects)
 
 clean:
 	@rm -f $(App_Name) $(Enclave_Name) $(Signed_Enclave_Name) $(App_Cpp_Objects) isv_app/isv_enclave_u.* $(Enclave_Cpp_Objects) isv_enclave/isv_enclave_t.* libservice_provider.* $(ServiceProvider_Cpp_Objects)
-
-
-
diff --git a/samplecode/sealeddata/Makefile b/samplecode/sealeddata/Makefile
index fc2e9ee..aa71c40 100644
--- a/samplecode/sealeddata/Makefile
+++ b/samplecode/sealeddata/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -74,7 +78,7 @@ endif
 App_C_Files := $(filter-out ./app/Enclave_u.c, $(wildcard ./app/*.c))
 App_Include_Paths := -I ./app -I./include -I$(SGX_SDK)/include -I$(CUSTOM_EDL_PATH)
 App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes $(App_Include_Paths)
-App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -L$(CUSTOM_LIBRARY_PATH) -l$(Urts_Library_Name) -lpthread
+App_Link_Flags := -L$(SGX_LIBRARY_PATH) -L$(CUSTOM_LIBRARY_PATH) -l$(Urts_Library_Name) -lpthread
 ifneq ($(SGX_MODE), HW)
 	App_Link_Flags += -lsgx_uae_service_sim
 else
@@ -105,16 +109,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Crypto_Library_Name) -l$(Service_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
-
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
diff --git a/samplecode/sealeddata/enclave/Makefile b/samplecode/sealeddata/enclave/Makefile
index 7a2daa4..101a5b2 100644
--- a/samplecode/sealeddata/enclave/Makefile
+++ b/samplecode/sealeddata/enclave/Makefile
@@ -19,6 +19,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/secretsharing/Makefile b/samplecode/secretsharing/Makefile
index fb0b649..651f37c 100644
--- a/samplecode/secretsharing/Makefile
+++ b/samplecode/secretsharing/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -74,7 +78,7 @@ endif
 App_C_Files := $(filter-out ./app/Enclave_u.c, $(wildcard ./app/*.c))
 App_Include_Paths := -I ./app -I./include -I$(SGX_SDK)/include -I$(CUSTOM_EDL_PATH)
 App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes $(App_Include_Paths)
-App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -L$(CUSTOM_LIBRARY_PATH) -l$(Urts_Library_Name) -lpthread
+App_Link_Flags := -L$(SGX_LIBRARY_PATH) -L$(CUSTOM_LIBRARY_PATH) -l$(Urts_Library_Name) -lpthread
 ifneq ($(SGX_MODE), HW)
 	App_Link_Flags += -lsgx_uae_service_sim
 else
@@ -105,16 +109,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
-
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -177,4 +177,3 @@ sgx_ustdc:
 clean:
 	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) $(RustEnclave_C_Objects) $(App_C_Objects) enclave/*_t.* app/*_u.* lib/*.a
 	@cd enclave && cargo clean && rm -f Cargo.lock
-
diff --git a/samplecode/secretsharing/enclave/Makefile b/samplecode/secretsharing/enclave/Makefile
index ba65113..e726bf8 100644
--- a/samplecode/secretsharing/enclave/Makefile
+++ b/samplecode/secretsharing/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/serialize/Makefile b/samplecode/serialize/Makefile
index 94d3b05..651f37c 100644
--- a/samplecode/serialize/Makefile
+++ b/samplecode/serialize/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -74,7 +78,7 @@ endif
 App_C_Files := $(filter-out ./app/Enclave_u.c, $(wildcard ./app/*.c))
 App_Include_Paths := -I ./app -I./include -I$(SGX_SDK)/include -I$(CUSTOM_EDL_PATH)
 App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes $(App_Include_Paths)
-App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -L$(CUSTOM_LIBRARY_PATH) -l$(Urts_Library_Name) -lpthread
+App_Link_Flags := -L$(SGX_LIBRARY_PATH) -L$(CUSTOM_LIBRARY_PATH) -l$(Urts_Library_Name) -lpthread
 ifneq ($(SGX_MODE), HW)
 	App_Link_Flags += -lsgx_uae_service_sim
 else
@@ -105,16 +109,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
-
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
diff --git a/samplecode/serialize/enclave/Makefile b/samplecode/serialize/enclave/Makefile
index 393ec2f..47500ce 100644
--- a/samplecode/serialize/enclave/Makefile
+++ b/samplecode/serialize/enclave/Makefile
@@ -19,6 +19,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/sgx-cov/Makefile b/samplecode/sgx-cov/Makefile
index 7afd7d7..c4d5d2b 100644
--- a/samplecode/sgx-cov/Makefile
+++ b/samplecode/sgx-cov/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -51,6 +54,8 @@ else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ifeq ($(XARGO_SGX), 1)
 Target_Dir := ./enclave/target/x86_64-unknown-linux-sgx/debug/
 else
@@ -97,15 +102,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -172,4 +174,3 @@ clean:
 	@cd enclave && cargo clean && rm -f Cargo.lock
 	@cd app && cargo clean && rm -f Cargo.lock
 	@rm -rf ./all.tag.info ./final.info ./html
-
diff --git a/samplecode/sgx-cov/enclave/Makefile b/samplecode/sgx-cov/enclave/Makefile
index 3b0c752..d5fc3a7 100644
--- a/samplecode/sgx-cov/enclave/Makefile
+++ b/samplecode/sgx-cov/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 ifneq ($(COV),) # Debug build + coverage collection
 	SGX_ENCLAVE_FEATURES = -Z package-features --features "cov"
 	COV_FLAGS = CARGO_INCREMENTAL=0 \
diff --git a/samplecode/static-data-distribution/Makefile b/samplecode/static-data-distribution/Makefile
index 49cef42..2cc84c0 100644
--- a/samplecode/static-data-distribution/Makefile
+++ b/samplecode/static-data-distribution/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -92,15 +96,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -l${ProtectedFs_Library_Name} -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tcxx -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -160,4 +161,3 @@ clean:
 	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) enclave/*_t.* app/*_u.* lib/*.a bin/*.bin
 	@cd enclave && cargo clean && rm -f Cargo.lock
 	@cd app && cargo clean && rm -f Cargo.lock
-
diff --git a/samplecode/static-data-distribution/enclave/Makefile b/samplecode/static-data-distribution/enclave/Makefile
index de591c2..b5354a9 100644
--- a/samplecode/static-data-distribution/enclave/Makefile
+++ b/samplecode/static-data-distribution/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/switchless/Makefile b/samplecode/switchless/Makefile
index f7711b9..1029a57 100644
--- a/samplecode/switchless/Makefile
+++ b/samplecode/switchless/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -92,15 +96,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -lsgx_tswitchless -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Crypto_Library_Name) -l$(Service_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -160,4 +161,3 @@ clean:
 	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) enclave/*_t.* app/*_u.* lib/*.a
 	@cd enclave && cargo clean && rm -f Cargo.lock
 	@cd app && cargo clean && rm -f Cargo.lock
-
diff --git a/samplecode/switchless/enclave/Makefile b/samplecode/switchless/enclave/Makefile
index 9b37487..824e425 100644
--- a/samplecode/switchless/enclave/Makefile
+++ b/samplecode/switchless/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/tcmalloc/Makefile b/samplecode/tcmalloc/Makefile
index 5a15daa..ad757c6 100644
--- a/samplecode/tcmalloc/Makefile
+++ b/samplecode/tcmalloc/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -85,9 +89,9 @@ else
 endif
 
 ifeq ($(TCMALLOC), 1)
-    Tcmalloc_Flag := -lsgx_tcmalloc
+	Tcmalloc_Flag := -lsgx_tcmalloc
 else
-    Tcmalloc_Flag :=
+	Tcmalloc_Flag :=
 endif
 
 Crypto_Library_Name := sgx_tcrypto
@@ -99,15 +103,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive $(Tcmalloc_Flag) -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -167,4 +168,3 @@ clean:
 	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) enclave/*_t.* app/*_u.* lib/*.a
 	@cd enclave && cargo clean && rm -f Cargo.lock
 	@cd app && cargo clean && rm -f Cargo.lock
-
diff --git a/samplecode/tcmalloc/enclave/Makefile b/samplecode/tcmalloc/enclave/Makefile
index 85ccbf8..93935cf 100644
--- a/samplecode/tcmalloc/enclave/Makefile
+++ b/samplecode/tcmalloc/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/thread/Makefile b/samplecode/thread/Makefile
index 22e2cd4..43cb8eb 100644
--- a/samplecode/thread/Makefile
+++ b/samplecode/thread/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,14 +48,13 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
-SGX_COMMON_CFLAGS += -L./lib
+SGX_COMMON_CFLAGS += -fstack-protector
 
 ######## CUSTOM Settings ########
 
@@ -77,7 +79,7 @@ App_Cpp_Files := $(filter-out ./app/Enclave_u.c, $(wildcard ./app/*.cpp))
 App_Include_Paths := -I ./app -I./include -I$(SGX_SDK)/include -I$(CUSTOM_EDL_PATH)
 App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes $(App_Include_Paths)
 App_Cpp_Flags := $(App_C_Flags) -std=c++11
-App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -l$(Urts_Library_Name) -lpthread
+App_Link_Flags := -L$(CUSTOM_LIBRARY_PATH) -L$(SGX_LIBRARY_PATH) -l$(Urts_Library_Name) -lpthread
 ifneq ($(SGX_MODE), HW)
 	App_Link_Flags += -lsgx_uae_service_sim
 else
@@ -108,16 +110,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
-
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -145,8 +143,8 @@ app/%.o: app/%.cpp
 $(App_Name): app/Enclave_u.o $(App_Cpp_Objects) sgx_ustdc
 	cp ../../sgx_ustdc/libsgx_ustdc.a ./lib
 	mkdir -p bin
-	@$(CXX) app/Enclave_u.o $(App_Cpp_Objects) -o $@ $(App_Link_Flags)
-	@echo "LINK =>  $@"
+	$(CXX) app/Enclave_u.o $(App_Cpp_Objects) -o $@ $(App_Link_Flags)
+	echo "LINK =>  $@"
 
 ######## Enclave Objects ########
 
diff --git a/samplecode/thread/enclave/Makefile b/samplecode/thread/enclave/Makefile
index e8599f1..cbd51a5 100644
--- a/samplecode/thread/enclave/Makefile
+++ b/samplecode/thread/enclave/Makefile
@@ -19,6 +19,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/tls/tlsclient/Makefile b/samplecode/tls/tlsclient/Makefile
index a5a3b96..8519e1d 100644
--- a/samplecode/tls/tlsclient/Makefile
+++ b/samplecode/tls/tlsclient/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -91,15 +95,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
diff --git a/samplecode/tls/tlsclient/enclave/Makefile b/samplecode/tls/tlsclient/enclave/Makefile
index 5a7b69f..b5d8b6f 100644
--- a/samplecode/tls/tlsclient/enclave/Makefile
+++ b/samplecode/tls/tlsclient/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/tls/tlsserver/Makefile b/samplecode/tls/tlsserver/Makefile
index e8fd12d..8519e1d 100644
--- a/samplecode/tls/tlsserver/Makefile
+++ b/samplecode/tls/tlsserver/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -91,15 +95,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -159,4 +160,3 @@ clean:
 	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) enclave/*_t.* app/*_u.* lib/*.a
 	@cd enclave && cargo clean && rm -f Cargo.lock
 	@cd app && cargo clean && rm -f Cargo.lock
-
diff --git a/samplecode/tls/tlsserver/enclave/Makefile b/samplecode/tls/tlsserver/enclave/Makefile
index 5cff10b..dbb8978 100644
--- a/samplecode/tls/tlsserver/enclave/Makefile
+++ b/samplecode/tls/tlsserver/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/tr-mpc/tr-mpc-server/Makefile b/samplecode/tr-mpc/tr-mpc-server/Makefile
index 88b42e5..d49c1ea 100644
--- a/samplecode/tr-mpc/tr-mpc-server/Makefile
+++ b/samplecode/tr-mpc/tr-mpc-server/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -91,15 +95,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -159,4 +160,3 @@ clean:
 	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) enclave/*_t.* app/*_u.* lib/*.a
 	@cd enclave && cargo clean && rm -f Cargo.lock
 	@cd app && cargo clean && rm -f Cargo.lock
-
diff --git a/samplecode/tr-mpc/tr-mpc-server/enclave/Makefile b/samplecode/tr-mpc/tr-mpc-server/enclave/Makefile
index 2071c85..fd951e7 100644
--- a/samplecode/tr-mpc/tr-mpc-server/enclave/Makefile
+++ b/samplecode/tr-mpc/tr-mpc-server/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/ue-ra/ue-ra-server/Makefile b/samplecode/ue-ra/ue-ra-server/Makefile
index 88b42e5..092b13c 100644
--- a/samplecode/ue-ra/ue-ra-server/Makefile
+++ b/samplecode/ue-ra/ue-ra-server/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -91,15 +95,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
diff --git a/samplecode/ue-ra/ue-ra-server/enclave/Makefile b/samplecode/ue-ra/ue-ra-server/enclave/Makefile
index 7671172..b5fcc53 100644
--- a/samplecode/ue-ra/ue-ra-server/enclave/Makefile
+++ b/samplecode/ue-ra/ue-ra-server/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/unit-test/Makefile b/samplecode/unit-test/Makefile
index aea9f80..45f8fb5 100644
--- a/samplecode/unit-test/Makefile
+++ b/samplecode/unit-test/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -92,15 +96,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -lsgx_tcxx -l$(Crypto_Library_Name) -l$(Service_Library_Name) -l$(ProtectedFs_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -160,4 +161,3 @@ clean:
 	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) enclave/*_t.* app/*_u.* lib/*.a bin/foo.txt
 	@cd enclave && cargo clean && rm -f Cargo.lock
 	@cd app && cargo clean && rm -f Cargo.lock
-
diff --git a/samplecode/unit-test/enclave/Makefile b/samplecode/unit-test/enclave/Makefile
index 1acd4a9..aeaa15c 100644
--- a/samplecode/unit-test/enclave/Makefile
+++ b/samplecode/unit-test/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/wasmi/Makefile b/samplecode/wasmi/Makefile
index 8c3691a..e2f0623 100644
--- a/samplecode/wasmi/Makefile
+++ b/samplecode/wasmi/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -92,15 +96,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -161,4 +162,3 @@ clean:
 	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) enclave/*_t.* app/*_u.* lib/*.a
 	@cd enclave && cargo clean && rm -f Cargo.lock
 	@cd app && cargo clean && rm -f Cargo.lock
-
diff --git a/samplecode/wasmi/enclave/Makefile b/samplecode/wasmi/enclave/Makefile
index 3ebc14a..d8354fb 100644
--- a/samplecode/wasmi/enclave/Makefile
+++ b/samplecode/wasmi/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/samplecode/zlib-lazy-static-sample/Makefile b/samplecode/zlib-lazy-static-sample/Makefile
index 672c642..2b4b091 100644
--- a/samplecode/zlib-lazy-static-sample/Makefile
+++ b/samplecode/zlib-lazy-static-sample/Makefile
@@ -21,6 +21,9 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
 
+TOP_DIR := ../..
+include $(TOP_DIR)/buildenv.mk
+
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -45,13 +48,14 @@ $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-
 ifeq ($(SGX_DEBUG), 1)
 	SGX_COMMON_CFLAGS += -O0 -g
 else
 	SGX_COMMON_CFLAGS += -O2
 endif
 
+SGX_COMMON_CFLAGS += -fstack-protector
+
 ######## CUSTOM Settings ########
 
 CUSTOM_LIBRARY_PATH := ./lib
@@ -92,15 +96,12 @@ RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
 RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lcompiler-rt-patch -lenclave
-RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(RustEnclave_Include_Paths)
-RustEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
+RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Service_Library_Name) -l$(Crypto_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
-	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--gc-sections \
-	-Wl,--version-script=enclave/Enclave.lds
+	-Wl,--version-script=enclave/Enclave.lds \
+	$(ENCLAVE_LDFLAGS)
 
 RustEnclave_Name := enclave/enclave.so
 Signed_RustEnclave_Name := bin/enclave.signed.so
@@ -160,4 +161,3 @@ clean:
 	@rm -f $(App_Name) $(RustEnclave_Name) $(Signed_RustEnclave_Name) enclave/*_t.* app/*_u.* lib/*.a
 	@cd enclave && cargo clean && rm -f Cargo.lock
 	@cd app && cargo clean && rm -f Cargo.lock
-
diff --git a/samplecode/zlib-lazy-static-sample/enclave/Makefile b/samplecode/zlib-lazy-static-sample/enclave/Makefile
index 6d31cf7..a156f46 100644
--- a/samplecode/zlib-lazy-static-sample/enclave/Makefile
+++ b/samplecode/zlib-lazy-static-sample/enclave/Makefile
@@ -18,6 +18,12 @@ Rust_Enclave_Name := libenclave.a
 Rust_Enclave_Files := $(wildcard src/*.rs)
 Rust_Target_Path := $(CURDIR)/../../../xargo
 
+ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+export MITIGATION_CVE_2020_0551=LOAD
+else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+export MITIGATION_CVE_2020_0551=CF
+endif
+
 .PHONY: all
 
 all: $(Rust_Enclave_Name)
diff --git a/sgx_backtrace_sys/build.rs b/sgx_backtrace_sys/build.rs
index 7ac756f..ccaf8f3 100644
--- a/sgx_backtrace_sys/build.rs
+++ b/sgx_backtrace_sys/build.rs
@@ -35,6 +35,12 @@ fn build_libbacktrace(_target: &str) -> Result<(), ()> {
 
     let mut build = cc::Build::new();
     build
+        .opt_level(2)
+        .flag("-fstack-protector")
+        .flag("-ffreestanding")
+        .flag("-fpie")
+        .flag("-fno-strict-overflow")
+        .flag("-fno-delete-null-pointer-checks")
         .flag("-fvisibility=hidden")
         .include("./libbacktrace")
         .include(&native.out_dir)
@@ -49,6 +55,27 @@ fn build_libbacktrace(_target: &str) -> Result<(), ()> {
         .file("./libbacktrace/sort.c")
         .file("./libbacktrace/state.c");
 
+    let mitigation_cflags = "-mindirect-branch-register -mfunction-return=thunk-extern";
+    let mitigation_asflags = "-fno-plt";
+    let mitigation_loadflags = "-Wa,-mlfence-after-load=yes -Wa,-mlfence-before-ret=not";
+    let mitigation_cfflags = "-Wa,-mlfence-before-indirect-branch=register -Wa,-mlfence-before-ret=not";
+    let mitigation = env::var("MITIGATION_CVE_2020_0551").unwrap_or_default();
+    match mitigation.as_ref() {
+        "LOAD" => {
+            build
+                .flag(mitigation_cflags)
+                .flag(mitigation_asflags)
+                .flag(mitigation_loadflags);
+        },
+        "CF" => {
+            build
+                .flag(mitigation_cflags)
+                .flag(mitigation_asflags)
+                .flag(mitigation_cfflags);
+        },
+        _  => {},
+    }
+
     let any_debug = env::var("RUSTC_DEBUGINFO").unwrap_or_default() == "true" ||
         env::var("RUSTC_DEBUGINFO_LINES").unwrap_or_default() == "true";
     build.debug(any_debug);
diff --git a/sgx_unwind/build.rs b/sgx_unwind/build.rs
index 277f8f5..9e13a03 100644
--- a/sgx_unwind/build.rs
+++ b/sgx_unwind/build.rs
@@ -69,7 +69,29 @@ fn build_libunwind(host: &str, target: &str) -> Result<(), ()> {
                     "unwind",
                     "src/.libs",
                     &filter)?;
-    let cflags = env::var("CFLAGS").unwrap_or_default() + " -fvisibility=hidden -O2";
+
+    let mut cflags = String::new();
+    cflags += " -fstack-protector -ffreestanding -nostdinc -fvisibility=hidden -fpie -fno-strict-overflow -fno-delete-null-pointer-checks";
+    cflags += " -O2";
+
+    let mitigation_cflags = " -mindirect-branch-register -mfunction-return=thunk-extern";
+    let mitigation_asflags = " -fno-plt";
+    let mitigation_loadflags = " -Wa,-mlfence-after-load=yes -Wa,-mlfence-before-ret=not";
+    let mitigation_cfflags = " -Wa,-mlfence-before-indirect-branch=register -Wa,-mlfence-before-ret=not";
+    let mitigation = env::var("MITIGATION_CVE_2020_0551").unwrap_or_default();
+    match mitigation.as_ref() {
+        "LOAD" => {
+            cflags += mitigation_cflags;
+            cflags += mitigation_asflags;
+            cflags += mitigation_loadflags;
+        },
+        "CF" => {
+            cflags += mitigation_cflags;
+            cflags += mitigation_asflags;
+            cflags += mitigation_cfflags;
+        },
+        _  => {},
+    }
 
     run(Command::new("sh")
                 .current_dir(&native.out_dir)


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@teaclave.apache.org
For additional commands, e-mail: commits-help@teaclave.apache.org


Mime
View raw message