--- wikisrc/pkgsrc/hardening.mdwn 2017/11/12 15:02:00 1.36 +++ wikisrc/pkgsrc/hardening.mdwn 2017/11/12 15:12:49 1.37 @@ -67,12 +67,14 @@ More details can be found here: ### PKGSRC_MKPIE This requests the creation of PIE (Position Independent Executables) for all -executables. The PIE mechanism is normally used for shared libraries so that +executables. The PIE mechanism is normally used for shared libraries, so that they can be loaded at differing addresses at runtime. PIE itself does not have -useful security properties. However, some operating systems support Address -Space Layout Randomization (ASLR), which causes different addresses to be used -each time a program is run. This makes it more difficult for an attacker to -guess addresses and thus makes exploits harder to construct. +useful security properties; however, it is necessary to fully leverage some, +such as ASLR. Some operating systems support Address Space Layout Randomization +(ASLR), which causes different addresses to be used each time a program is run. +This makes it more difficult for an attacker to guess addresses and thus makes +exploits harder to construct. With PIE, ASLR can really be applied to the entire +program, instead of the stack and heap only. PIE executables will only be built for toolchains that are known to support PIE. Currently, this means NetBSD on amd64 and i386.