Easy Feature Comparison

Feature HardenedBSD FreeBSD OpenBSD NetBSD
Address Space Layout Randomization (ASLR) *
Base compiled as Position-Independent Executables (PIEs)
Base compiled with RELRO + BIND_NOW *
Ports tree compiled with PIE, RELRO, and BIND_NOW
Static PIE
ASLR brute force protection (SEGVGUARD) * *
Prevention of the creation of writable and executable memory mappings (W^X part one)
Restrictions on mprotect to prevent switching pages between writable and executable (W^X part two)
sysctl hardening
Network stack hardening (IP ID randomization, use IPv6 temporary addresses)
Executable file integrity enforcement
Boot hardening
procfs/linprocfs hardening *
LibreSSL in base as the default cryptography library
SROP mitigation
Most of base sandboxed
Trusted Path Execution
SafeStack in base
SafeStack available in ports
Non-Cross-DSO Control-Flow Integrity (CFI) in base
Non-Cross-DSO Control-Flow Integrity (CFI) available in ports
Base compiled with retpoline
Ports tree compiled with retpoline
Intel SMAP+SMEP Support
Userland stack zero-initialized by default
Hardened RTLD by default

* Hover over the checkbox for more information