| Feature | HardenedBSD | FreeBSD | OpenBSD | NetBSD |
| Address Space Layout Randomization (ASLR) |  |
* |
|
|
| Base compiled as Position-Independent Executables (PIEs) | |
 |
|
|
| Base compiled with RELRO + BIND_NOW | |
|
|
* |
| Ports tree compiled with PIE, RELRO, and BIND_NOW | |
|
|
|
| Static PIE | |
|
|
|
| ASLR brute force protection (SEGVGUARD) | * |
|
|
* |
| Prevention of the creation of writable and executable memory mappings (W^X part one) | |
|
|
|
| Restrictions on mprotect to prevent switching pages between writable and executable (W^X part two) | |
|
|
|
| sysctl hardening | |
|
|
|
| Network stack hardening (IP ID randomization, use IPv6 temporary addresses) | |
|
|
|
| Executable file integrity enforcement | |
|
|
|
| Boot hardening | |
|
|
|
| procfs/linprocfs hardening | |
|
* |
|
| LibreSSL in base as the default cryptography library | |
|
|
|
| SROP mitigation | |
|
|
|
| Most of base sandboxed | |
|
|
|
| Trusted Path Execution | |
|
|
|
| SafeStack in base | |
|
|
|
| SafeStack available in ports | |
|
|
|
| Non-Cross-DSO Control-Flow Integrity (CFI) in base | |
|
|
|
| Non-Cross-DSO Control-Flow Integrity (CFI) available in ports | |
|
|
|
| Base compiled with retpoline | |
|
|
|
| Ports tree compiled with retpoline | |
|
|
|
| Intel SMAP+SMEP Support | |
|
|
|
| Userland stack zero-initialized by default | |
|
|
|
| Hardened RTLD by default | |
|
|
|
* Hover over the checkbox for more information
