Diff for /wikisrc/pkgsrc/hardening.mdwn between versions 1.32 and 1.33

version 1.32, 2017/11/07 02:26:54 version 1.33, 2017/11/07 02:37:43
Line 55  for unsafe programming languages, such a Line 55  for unsafe programming languages, such a
   
 It is enabled by default where known supported since pkgsrc-2017Q3.  It is enabled by default where known supported since pkgsrc-2017Q3.
   
   More details can be found here:
 * <https://en.wikipedia.org/wiki/Buffer_overflow_protection>  * <https://en.wikipedia.org/wiki/Buffer_overflow_protection>
   
 ## Enabled by default in pkgsrc HEAD  ## Enabled by default in pkgsrc HEAD
Line 80  Currently, this means NetBSD on amd64 an Line 81  Currently, this means NetBSD on amd64 an
 This also makes the exploitation of some security vulnerabilities more  This also makes the exploitation of some security vulnerabilities more
 difficult in some cases.  difficult in some cases.
   
 TODO: Explain gcc vs clang, and whether this has broad support or just  Two different mitigation levels are available:
 a few platforms.  * partial: the ELF sections are reordered so that internal data sections
     precede the program's own data sections, and non-PLT GOT is read-only;
   * full: in addition to partial RELRO, every relocation is performed immediately
     when starting the program (with a slight performance impact), allowing the
     entire GOT to be read-only.
   
 TODO: Address "partial" vs "full"; which is this?  This is currently supported by GCC. Many software distributions now enable this
   feature by default, at the "partial" level.
   
 TODO: Give a link to a comprehensive explanation.  More details can be found here:
   * <http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html>
   
 ### PKGSRC_USE_STACK_CHECK  ### PKGSRC_USE_STACK_CHECK
   
Line 278  additional symbols in the resulting file Line 285  additional symbols in the resulting file
     0000000000600ea0 B __stack_chk_guard      0000000000600ea0 B __stack_chk_guard
   
 This is an indicator that the program was indeed built with support for SSP.  This is an indicator that the program was indeed built with support for SSP.
   
 # References  
   
 * <http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html>  
   

Removed from v.1.32  
changed lines
  Added in v.1.33


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb