Skip to content
GitLab

Home · Changes

Page history
Provide some updates authored by Shawn Webb's avatar Shawn Webb 

Signed-off-by: Shawn Webb's avatarShawn Webb <shawn.webb@hardenedbsd.org>
Hide whitespace changes
Inline Side-by-side
Home.md
View page @ 0df8cf7b
......@@ -63,6 +63,8 @@ HardenedBSD has successfully implemented the following features:
1. Non-Cross-DSO CFI in base
1. Non-Cross-DSO CFI available in ports
1. Retpoline applied to base and ports
1. Variable auto-init applied to base and ports
1. Link-Time Optimizations (LTO) applied to both apps and libs
# Generic Kernel Options
......@@ -205,6 +207,11 @@ When a process forks, the child process inherits its parent's ASLR
settings, including deltas. Only at image activation (execve) time
does a process receive new deltas.
To thwart heap spray attacks, HardenedBSD randomizes per-thread
stacks. Effectively, every call to `mmap(MAP_STACK)` gets randomized.
Per-thread stack randomization can be disabled on a per-process basis
by toggling ASLR for that process.
## Position-Independent Executables (PIEs)
In order to make full use of ASLR, applications must be compiled as
......@@ -421,13 +428,12 @@ yet. Cross-DSO CFI would allow functions resolved through
`dlopen(3)`/`dlsym(3)` to work since CFI would be able to be applied
between Dynamic Shared Object (DSO) boundaries. Significant progress
has been made in the first half of 2018 with regards to Cross-DSO CFI.
The base operating system can be fully compiled with Cross-DSO CFI. On
16 Jul 2018, a pre-alpha
[Call For
Testing](https://hardenedbsd.org/article/shawn-webb/2018-07-16/preliminary-call-testing-cross-dso-cfi)
was released for wider initial testing. The HardenedBSD core
development team hopes to launch Cross-DSO CFI in base within the
latter half of 2019.
The Cross-DSO CFI work was paused in 2019 and 2020. Work has resumed
in 2021, starting with applying LTO to libraries (in addition to the
LTO already applied to apps). When built with Cross-DSO CFI, some
applications, like the ZFS tools, crash. Work is ongoing to determine
the cause of the crashes and fix them.
# hbsdcontrol
......@@ -687,4 +693,4 @@ Thus, generating a diff between the two configuration files would result in:
baseurl="http://updates.hardenedbsd.org/pub/HardenedBSD/updates/${branch}/$(uname -m)"
```
[back to top](https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/wikis/home#)
\ No newline at end of file
[back to top](https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/wikis/home#)