Easy Feature Comparison

Feature HardenedBSD FreeBSD OpenBSD NetBSD
Address Space Layout Randomization (ASLR) *
Base compiled as Position-Independent Executables (PIEs)
Base compiled with RELRO + BIND_NOW *
Ports tree compiled with PIE, RELRO, and BIND_NOW
Static PIE
ASLR brute force protection (SEGVGUARD) *
Prevention of the creation of writable and executable memory mappings (W^X part one) *
Restrictions on mprotect to prevent switching pages between writable and executable (W^X part two) *
sysctl hardening
Network stack hardening (IP ID randomization, use IPv6 temporary addresses)
Executable file integrity enforcement
Boot hardening
procfs/linprocfs hardening *
LibreSSL in base as the default cryptography library
SROP mitigation
Most of base sandboxed
Trusted Path Execution
SafeStack in base
SafeStack available in ports
Control-Flow Integrity (CFI) in base
Control-Flow Integrity (CFI) in available in ports
Base compiled with retpoline *
Ports tree compiled with retpoline *

* Hover over the checkbox for more information