--- wikisrc/pkgsrc/hardening.mdwn 2017/11/07 02:00:44 1.28 +++ wikisrc/pkgsrc/hardening.mdwn 2017/11/07 02:14:50 1.29 @@ -36,13 +36,21 @@ It has been enabled by default since pkg ### PKGSRC_USE_SSP -This enables a stack-smashing protection mitigation. - -TODO: Give a link to a good explanation. Explain if this is gcc -specific or also works with other compilers. Explain if it is C/C++ only. +This enables a stack-smashing protection mitigation. It is done by adding a +guard variable to functions with vulnerable objects. The guards are initialized +when a function is entered and then checked when the function exits. The guard +check will fail and the program forcibly exited if the variable was modified in +the meantime. This can happen in case of buffer overflows or memory corruption, +and therefore exposing these bugs. + +This mitigation is supported by both GCC and clang. It may be supported in +additional compilers, possibly under a different name. It is particularly useful +for unsafe programming languages, such as C/C++. It is enabled by default where known supported since pkgsrc-2017Q3. +* + ## Enabled by default in pkgsrc HEAD ## Not enabled by default