cl /GS

The goal of using /GS is to detect an alteration of a functions's return address that is stored on the stack. If the return address was changed during the execution of a function, the program does not return to the original code. This might be exploited by malware or might happen inadvertantly when a buffer overflows.

Sources that are compiled with /GS (which is enabled by default) can detect the alteration of the return address. The compiler causes the function to insert a »cookie« (a value) on the stack right after (before?) the frame pointer and before (after?) the exception handler frame or return address when the function is entered. When the function is left, the value of the cookie is compareed to the value it had when the function is entered. If those values are different, this is a sign that indeed a buffer overflow has happened and an error reporting function (defined in gs_report.c is called.

The value of the cookie that is put on the stack is also stored in the global variable __security_cookie which is defined in the CRT source gs_cookie.c.

The function that initializes the value of __security_cookie is defined in gs_support.c.