|
version 1.24, 2017/11/06 00:04:07
|
version 1.25, 2017/11/07 01:49:31
|
|
Line 8 about detecting and fixing problems.
|
Line 8 about detecting and fixing problems.
|
| # Mechanisms |
# Mechanisms |
| |
|
| Mechanisms can be enabled individually in `mk.conf`, and are |
Mechanisms can be enabled individually in `mk.conf`, and are |
| individually described below. They are sorted by whether thery are |
individually described below. They are sorted by whether thery are |
| enabled by default, and then by their ordering in mk/defaults/mk.conf. |
enabled by default, and then by their ordering in mk/defaults/mk.conf. |
| |
|
| Typically, a feature will cause some programs to fail to build or work |
Typically, a feature will cause some programs to fail to build or work |
| when first enabled. This can be due to latent problems in the |
when first enabled. This can be due to latent problems in the |
| program, and can be due to other reasons. After enough testing to |
program, and can be due to other reasons. After enough testing to |
| have confidence that user problems will be quite rare, individual |
have confidence that user problems will be quite rare, individual |
| mechanisms will be enabled by default. |
mechanisms will be enabled by default. |
| |
|
|
Line 29 This allows substitute wrappers to be us
|
Line 29 This allows substitute wrappers to be us
|
| library functions that do not have built-in bounds checking - but |
library functions that do not have built-in bounds checking - but |
| could in some cases. |
could in some cases. |
| |
|
| TODO: Explain FORTIFY_SOURCE 1 vs 2, and which is used. Give a link |
TODO: Explain FORTIFY_SOURCE 1 vs 2, and which is used. Give a link |
| to a good explanation of the technique. Explain if this is gcc specific. |
to a good explanation of the technique. Explain if this is gcc specific. |
| |
|
| It has been enabled by default since pkgsrc-2017Q3. |
It has been enabled by default since pkgsrc-2017Q3. |
| |
|
|
Line 38 It has been enabled by default since pkg
|
Line 38 It has been enabled by default since pkg
|
| |
|
| This enables a stack-smashing protection mitigation. |
This enables a stack-smashing protection mitigation. |
| |
|
| TODO: Give a link to a good explanation. Explain if this is gcc |
TODO: Give a link to a good explanation. Explain if this is gcc |
| specific or also works with other compilers. Explain if it is C/C++ only. |
specific or also works with other compilers. Explain if it is C/C++ only. |
| |
|
| It is enabled by default where known supported since pkgsrc-2017Q3. |
It is enabled by default where known supported since pkgsrc-2017Q3. |
| |
|
|
Line 50 It is enabled by default where known sup
|
Line 50 It is enabled by default where known sup
|
| ### PKGSRC_MKPIE |
### PKGSRC_MKPIE |
| |
|
| This requests the the creation of PIE (Position Independent |
This requests the the creation of PIE (Position Independent |
| Executables) for all executables. The PIE mechanism is normally used |
Executables) for all executables. The PIE mechanism is normally used |
| for shared libraries so that they can be loaded at differing addresses |
for shared libraries so that they can be loaded at differing addresses |
| at runtime. PIE itself does not have useful security properties. |
at runtime. PIE itself does not have useful security properties. |
| However, some operating systems support Address Space Layout |
However, some operating systems support Address Space Layout |
| Randomization (ASLR), which causes different addresses to be used each |
Randomization (ASLR), which causes different addresses to be used each |
| time a program is run. This makes it more difficult for an attacker |
time a program is run. This makes it more difficult for an attacker |
| to guess addresses and thus makes exploits harder to construct. |
to guess addresses and thus makes exploits harder to construct. |
| |
|
| TODO/check: PIE executables will only be built for toolchains that |
TODO/check: PIE executables will only be built for toolchains that |
| support PIE and operating systems known to support ASLR. Currently, |
support PIE and operating systems known to support ASLR. Currently, |
| this means NetBSD 8 and later, i386 and amd64. |
this means NetBSD 8 and later, i386 and amd64. |
| |
|
| ### PKGSRC_USE_RELRO |
### PKGSRC_USE_RELRO |
![[BACK]](/icons/back.gif){kind=icon}
Return to hardening.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc / pkgsrc