Introducing Full PIE Support

We at HardenedBSD have added support in 11-CURRENT for compiling nearly all of base as Position-Independent Executables (PIEs, for short). This work bumps hardening.version to 45. We've enabled PIE base for amd64 and i386 and hope to enable it for arm64 before or during BSDCan 2016. Compiling an application as a PIE enables it to take full advantage of ASLR. Without PIE support, the application itself is loaded at a fixed address, determined at compile time. As of this writing, only nine applications are not compiled as PIEs. At least two of them must stay that way (/sbin/init and /sbin/init.bak), so that leaves the outstanding list at seven. This is a huge leap forward for HardenedBSD. We have tested PIE base on several amd64 systems, both virtualized and bare metal. We have done multiple amd64 package builds with success. We would like to thank Bryan Drewery for his help.

An hbsd-update(8) update archive has been published for 11-CURRENT/amd64 with the "PIEified" base. Update at your leisure.

PIE base is enabled by default for amd64 and i386. We hope to enable it for ARM64 before or during BSDCan. Speaking of ARM64, we will be bringing ten Raspberry Pi 3 devices (which are ARM64) with us to BSDCan, eight of which will be given out to lucky individuals. We want the BSD community to hack on them and get ARM64/Aarch64 fully functional on them.

UPDATE 18 Apr 2016 05:03:00 EDT: PIEified base support has been enabled for ARM64.

New stable release: HardenedBSD-stable 10-STABLE v42.2

Secadm 0.3.0 Released

We at HardenedBSD have been hard at work on secadm. Brian Salcedo rewrote core parts of secadm, making it much more efficient. As part of the rewrite, the rule syntax has changed. Please refer to the new secadm.conf(5) manpage for details on the new syntax.

Here's what has changed between secadm 0.2 and secadm 0.3.0:

  • Rewritten backend
  • Integriforce dedup - more on this below
  • Integriforce in whitelist mode - more on this below
  • manpages! secadm(8) and secadm.rules(5)
  • Allow modification and deletion of files that have rules pertaining to them if the rule is disabled
  • Various bugfixes

Integriforce in whitelist mode is a form of verified application whitelisting. When Integriforce is set in whitelisting mode, all desired applications along with their shared objects must have an Integriforce rule. The rtld should also have an Integriforce rule. If an application attempts to start and there is no Integriforce rule for that application or the shared objects it depends on, execution is denied. Whitelisting is only enforced when explicitly enabled and there is at least one Integriforce rule loaded.

As we at HardenedBSD found out with the new rewrite, in the beta releases of secadm 0.3, it was not possible to have Integriforce rules loaded for two files that were hardlinks to each other, like /bin/[ and /bin/test. secadm 0.3 now supports that, but will disregard the second (or following) rules. Both files are still protected as they really point to the same underlying file. As a result, if a hash mismatch occurs, the filename printed out refers to the first rule that matches the hardlinked file.

Download secadm 0.3.0 here. GPG signature is here


Subscribe to HardenedBSD RSS