Introducing HardenedBSD-stable 12
HardenedBSD-stable 12 Among those improvements are:
- Non-Cross-DSO Control-Flow Integrity (CFI) for applications on amd64 and arm64. At this time, CFI is not applied to the kernel. More info on CFI is below.
- Jailed bhyve.
- Per-jail toggles for unprivileged process debugging (the
- Spectre v2 mitigation with retpoline applied to the entirety of base and ports.
- Symmetric Multi-Threading (SMT) disabled by default (re-enable by setting
- Migration of more compiler toolchain components to llvm's implementations (llvm-ar, llvm-nm, and llvm-objdump).
- Compilation of applications with Link-Time Optimization (LTO).
Non-Cross-DSO CFI is an exploit mitigation technique that helps prevent attackers from modifying the behavior of a program and jumping to undefined or arbitrary memory locations. Microsoft has implemented a variant of CFI, which they term Control Flow Guard, or CFG. The PaX team has spent the last few years perfecting their Reuse Attack Protector, RAP. CFI, CFG, and RAP all attempt to accomplish the same goal, with RAP being the most complete and effective implementation. Clang's CFI is stronger than Microsoft's CFG and PaX Team's RAP is stronger than both CFI and CFG. RAP would be a great addition to HardenedBSD; however, it requires a GPLv3 toolchain and is patented.
Clang's CFI requires a linker that supports Link-Time Optimization (LTO). HardenedBSD 12-STABLE ships with lld as the default linker. All CFI schemes have been enabled for nearly all applications in base. Please note that any application that calls function pointers resolved via
dlsym will require the
cfi-icall scheme to be disabled.
- Ian plays Roller Coaster Tycoon 3:on Fandom Fare Kids Social Distance - September 28, 2020
- Announcing the content of TEKKEN 7’s Season Pass 4 in a new blitzing trailer! - September 28, 2020
- THE KING OF FIGHTERS ALLSTAR INTRODUCES AN ALL-NEW GAMEPLAY MODE IN SEPTEMBER UPDATE - September 28, 2020