|
version 1.32, 2017/11/07 02:26:54
|
version 1.33, 2017/11/07 02:37:43
|
|
Line 55 for unsafe programming languages, such a
|
Line 55 for unsafe programming languages, such a
|
| |
|
| It is enabled by default where known supported since pkgsrc-2017Q3. |
It is enabled by default where known supported since pkgsrc-2017Q3. |
| |
|
| |
More details can be found here: |
| * <https://en.wikipedia.org/wiki/Buffer_overflow_protection> |
* <https://en.wikipedia.org/wiki/Buffer_overflow_protection> |
| |
|
| ## Enabled by default in pkgsrc HEAD |
## Enabled by default in pkgsrc HEAD |
|
Line 80 Currently, this means NetBSD on amd64 an
|
Line 81 Currently, this means NetBSD on amd64 an
|
| This also makes the exploitation of some security vulnerabilities more |
This also makes the exploitation of some security vulnerabilities more |
| difficult in some cases. |
difficult in some cases. |
| |
|
| TODO: Explain gcc vs clang, and whether this has broad support or just |
Two different mitigation levels are available: |
| a few platforms. |
* partial: the ELF sections are reordered so that internal data sections |
| |
precede the program's own data sections, and non-PLT GOT is read-only; |
| |
* full: in addition to partial RELRO, every relocation is performed immediately |
| |
when starting the program (with a slight performance impact), allowing the |
| |
entire GOT to be read-only. |
| |
|
| TODO: Address "partial" vs "full"; which is this? |
This is currently supported by GCC. Many software distributions now enable this |
| |
feature by default, at the "partial" level. |
| |
|
| TODO: Give a link to a comprehensive explanation. |
More details can be found here: |
| |
* <http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html> |
| |
|
| ### PKGSRC_USE_STACK_CHECK |
### PKGSRC_USE_STACK_CHECK |
| |
|
|
Line 278 additional symbols in the resulting file
|
Line 285 additional symbols in the resulting file
|
| 0000000000600ea0 B __stack_chk_guard |
0000000000600ea0 B __stack_chk_guard |
| |
|
| This is an indicator that the program was indeed built with support for SSP. |
This is an indicator that the program was indeed built with support for SSP. |
| |
|
| # References |
|
| |
|
| * <http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html> |
|
| |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to hardening.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc / pkgsrc