The first public release of HardenedBSD-stable 12/master branch, which contains lots of security improvements over 11-STABLE

HardenedBSD-stable 12-STABLE

Linux Distribution

The first public release of HardenedBSD-stable 12/master branch, which contains lots of security improvements over 11-STABLE.

The first public release of HardenedBSD-stable 12/

Introducing HardenedBSD-stable 12

HardenedBSD-stable 12 Among those improvements are:

  • Non-Cross-DSO Control-Flow Integrity (CFI) for applications on amd64 and arm64. At this time, CFI is not applied to the kernel. More info on CFI is below.
  • Jailed bhyve.
  • Per-jail toggles for unprivileged process debugging (the security.bsd.unprivileged_process_debug sysctl node).
  • Spectre v2 mitigation with retpoline applied to the entirety of base and ports.
  • Symmetric Multi-Threading (SMT) disabled by default (re-enable by setting machdep.hyperthreading_allowed to 1 in loader.conf(5)).
  • Migration of more compiler toolchain components to llvm's implementations (llvm-ar, llvm-nm, and llvm-objdump).
  • Compilation of applications with Link-Time Optimization (LTO).

Non-Cross-DSO CFI

Non-Cross-DSO CFI is an exploit mitigation technique that helps prevent attackers from modifying the behavior of a program and jumping to undefined or arbitrary memory locations. Microsoft has implemented a variant of CFI, which they term Control Flow Guard, or CFG. The PaX team has spent the last few years perfecting their Reuse Attack Protector, RAP. CFI, CFG, and RAP all attempt to accomplish the same goal, with RAP being the most complete and effective implementation. Clang's CFI is stronger than Microsoft's CFG and PaX Team's RAP is stronger than both CFI and CFG. RAP would be a great addition to HardenedBSD; however, it requires a GPLv3 toolchain and is patented.

Clang's CFI requires a linker that supports Link-Time Optimization (LTO). HardenedBSD 12-STABLE ships with lld as the default linker. All CFI schemes have been enabled for nearly all applications in base. Please note that any application that calls function pointers resolved via dlopen + dlsym will require the cfi-icall scheme to be disabled.

Installer images

http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/ISO-IMAGES/HardenedBSD-12-STABLE-v1200058/

Comments

comments

JADIRI GAMER

Jadiri Gamer "THE MORE YOU KNOW" Gamers Entertaining Gamers
Fandomfare Gaming Entertainment no.1 source in, Gaming news, Live Game Streaming , PC Gaming & related Events E3, Gamecon and more, eSports event news and releases gaming technologies.

Fandomfare Gaming Entertainment Video Games | Game Reviews | Game Streaming |Linux Distribution | more than 20-year online gaming and following the gaming industry\
HardenedBSD-stable 12-STABLE 5

Latest posts by JADIRI GAMER (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.