Over the past few months, Oliver has been busy writing a new exploit mitigation feature for HardenedBSD: NoExec. The first part of this project was merged into master tree, and there are still ongoing issues to solve. Our implementation is inspired by PaX's. NoExec prevents pages that are marked as writable from being marked executable as well. It also prevents using mprotect(2)
to change a non-executable page to an executable one. This, of course, can cause issues with applications that expect to be able to mark existing pages as executable. Firefox is a good example. You will need to either jail the application in a jail with NoExec turned off or use secadm
to turn off NoExec for that application.
This feature bumps the HardenedBSD version number up to 17. We're doing a new package build as well. You'll also get some applications built as Position-Independent Executables (PIEs) with this package build.