Announcing ASLR Completion

Over the July 4th weekend, we implemented randomization of the VDSO (Virtual Dynamic Shared Object). The VDSO is a spot in memory that is shared between the kernel and userland memory. It contains the signal trampoline and time-related code (like gettimeofday(2)). Randomizing the VDSO was the last piece of the address space to randomize. Now that it is implemented, our ASLR implementation is now complete. Our version of ASLR is the strongest form ever implemented in any BSD operating system. Read on for the full feature list.

Introducing True Stack Randomization

When we first implemented ASLR for FreeBSD, we implemented the stack randomization portion as a random gap. This means that the base address for the stack remained constant, but where applications started utilizing the stack would change randomly. We have now implemented true stack randomization. The base address for the stack is now randomized. We still utilize a random stack gap on top of true stack randomization to provide further entropy and security. This means that we can effectively achieve 42 bits of entropy for the stack.

Seeking Package Mirrors

HardenedBSD is gaining a lot of traction. We maintain our own packages to ensure proper ABI/API compatibility with HardenedBSD. We are looking for those who would be interested in mirroring our package repositories. You'd be looking at 2x50GB per repository. Right now, we only have one repo for 11-CURRENT/amd64. But we will soon be expanding to also building 10-STABLE/amd64 packages as well. We are currently restructuring the way our repo works. Of course, if you decide to become an official mirror, your name will be listed on our donors page. We appreciate the help and support the community has given us already and we look forward to working further with the community as we grow. Please contact us at [email protected] to discuss further details.

Poll: linuxulator Removal

Body: 

The linuxulator (the Linux emulation/translation layer in FreeBSD) has recently undergone a major overhaul. Many of FreeBSD's userbase relies on the linuxulator to provide things like the Adobe Flash Player browser plugin, linux browsers, and certain linux-centric tasks. The linuxulator provides a set of security challenges. It is yet another attack vector. The core HardenedBSD team would like to completely remove the linuxulator from HardenedBSD's codebase.

What would be removed:

  1. linuxulator and its dependents
  2. linprocfs (pending investigation, this might not be removed)
  3. packages that require the linuxulator

Should the linuxulator be removed?

Yes
66% (133 votes)
No
34% (70 votes)
Total votes: 203

HardenedBSD Backport to 10-STABLE

We mostly finished the backport of our 11-CURRENT patches to 10-STABLE this week. This means that those who have a preference not to use 11-CURRENT (and we don't blame them) can now have the comfort of having exploit mitigation features in a more stable branch. The backport is currently in an experimental branch (hardened/experimental/10-stable) but will be promoted to a stable branch (hardened/10-stable/master) in around a month if we deem it to be stable. We will soon be providing amd64 packages as well.

Pages

Subscribe to HardenedBSD RSS