| Address Space Layout Randomization (ASLR) |
 |
* |
 |
 |
| Base compiled as Position-Independent Executables (PIEs) |
 |
 |
 |
 |
| Base compiled with RELRO + BIND_NOW |
 |
 |
 |
* |
| Ports tree compiled with PIE, RELRO, and BIND_NOW |
 |
 |
 |
 |
| Static PIE |
 |
 |
 |
 |
| ASLR brute force protection (SEGVGUARD) |
* |
 |
 |
* |
| Prevention of the creation of writable and executable memory mappings (W^X part one) |
 |
 |
 |
 |
| Restrictions on mprotect to prevent switching pages between writable and executable (W^X part two) |
 |
 |
 |
 |
| sysctl hardening |
 |
 |
 |
 |
| Network stack hardening (IP ID randomization, use IPv6 temporary addresses) |
 |
 |
 |
 |
| Executable file integrity enforcement |
 |
 |
 |
 |
| Boot hardening |
 |
 |
 |
 |
| procfs/linprocfs hardening |
 |
 |
* |
 |
| LibreSSL in base as the default cryptography library |
 |
 |
 |
 |
| SROP mitigation |
 |
 |
 |
 |
| Most of base sandboxed |
 |
 |
 |
 |
| Trusted Path Execution |
 |
 |
 |
 |
| SafeStack in base |
 |
 |
 |
 |
| SafeStack available in ports |
 |
 |
 |
 |
| Non-Cross-DSO Control-Flow Integrity (CFI) in base |
 |
 |
 |
 |
| Non-Cross-DSO Control-Flow Integrity (CFI) available in ports |
 |
 |
 |
 |
| Base compiled with retpoline |
 |
 |
 |
 |
| Ports tree compiled with retpoline |
 |
 |
 |
 |
| Intel SMAP+SMEP Support |
 |
 |
 |
 |
| Userland stack zero-initialized by default |
 |
 |
 |
 |
| Hardened RTLD by default |
 |
 |
 |
 |