Changeset 0ceb504 for introduction
- Timestamp:
- 08/28/2024 12:46:50 PM (3 weeks ago)
- Branches:
- 12.2, trunk
- Children:
- 0c9bd83
- Parents:
- 2ec620f
- git-author:
- Xi Ruoyao <xry111@…> (08/28/2024 12:43:45 PM)
- git-committer:
- Xi Ruoyao <xry111@…> (08/28/2024 12:46:50 PM)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
introduction/important/building-notes.xml
r2ec620f r0ceb504 1333 1333 1334 1334 <para> 1335 The main distros use much more, such as 1336 <option>-Wl,-z,now</option> (disabling lazy binding to enhance 1337 <option>-Wl,-z,relro</option>, so the <emphasis>entire</emphasis> 1338 GOT can be made immutable), <option>-fstack-clash-protection</option> 1339 (preventing the attacker from using an unchecked offset from a heap 1340 address to modify the stack), 1341 <option>-fcf-protection=full</option> 1342 (utilizing Intel and AMD CET technology to limit the target 1343 addresses of control-flow transfer instructions; to make it really 1344 effective the entire system must be built with this option, Glibc 1345 must be built with <option>--enable-cet</option>, and the system 1346 must run on Intel Tiger Lake or newer, or AMD Zen 3 or newer), 1347 and <option>-ftrivial-auto-var-init=zero</option> (initializing 1348 some variables by filling zero bytes if they are otherwise 1349 uninitialized). 1350 </para> 1335 The main distros use much more, such as: 1336 </para> 1337 1338 <itemizedlist> 1339 <listitem> 1340 <para> 1341 <option>-Wl,-z,now</option>: disables lazy binding to enhance 1342 <option>-Wl,-z,relro</option>, so the 1343 <emphasis>entire</emphasis> GOT can be made immutable. 1344 </para> 1345 </listitem> 1346 <listitem> 1347 <para> 1348 <option>-fstack-clash-protection</option>: prevents the attacker 1349 from using an offset large enough and not adequately checked to 1350 jump over the stack guard page placed by the kernel and the 1351 stack canary placed by 1352 <option>-fstack-protector=strong</option>, and modify the stack 1353 from a heap address, or vice versa. 1354 </para> 1355 </listitem> 1356 <listitem> 1357 <para> 1358 <option>-ftrivial-auto-var-init=zero</option>: initializes 1359 some variables by filling zero bytes if they are not 1360 initialized by other means. 1361 </para> 1362 </listitem> 1363 <listitem> 1364 <para> 1365 <option>-fcf-protection=full</option>: utilizes Intel and AMD 1366 CET technology to limit the target addresses of control-flow 1367 transfer instructions. To make it really effective for a 1368 package, all packages providing a shared library for the 1369 package to use must be built with this option, as well as that 1370 package itself, Glibc must be configured with the 1371 <option>--enable-cet</option> option enabled, and the system 1372 must run on Intel Tiger Lake or newer, or AMD Zen 3 or newer. 1373 If the criteria is not met the program compiled with this 1374 option will still run, but not really protected by CET. 1375 </para> 1376 </listitem> 1377 </itemizedlist> 1351 1378 1352 1379 <para>
Note:
See TracChangeset
for help on using the changeset viewer.