Address Space Layout Randomization (ASLR) |
 |
* |
 |
 |
Base compiled as Position-Independent Executables (PIEs) |
 |
 |
 |
 |
Base compiled with RELRO + BIND_NOW |
 |
 |
 |
* |
Ports tree compiled with PIE, RELRO, and BIND_NOW |
 |
 |
 |
 |
Static PIE |
 |
 |
 |
 |
ASLR brute force protection (SEGVGUARD) |
* |
 |
 |
* |
Prevention of the creation of writable and executable memory mappings (W^X part one) |
 |
 |
 |
 |
Restrictions on mprotect to prevent switching pages between writable and executable (W^X part two) |
 |
 |
 |
 |
sysctl hardening |
 |
 |
 |
 |
Network stack hardening (IP ID randomization, use IPv6 temporary addresses) |
 |
 |
 |
 |
Executable file integrity enforcement |
 |
 |
 |
 |
Boot hardening |
 |
 |
 |
 |
procfs/linprocfs hardening |
 |
 |
* |
 |
LibreSSL in base as the default cryptography library |
 |
 |
 |
 |
SROP mitigation |
 |
 |
 |
 |
Most of base sandboxed |
 |
 |
 |
 |
Trusted Path Execution |
 |
 |
 |
 |
SafeStack in base |
 |
 |
 |
 |
SafeStack available in ports |
 |
 |
 |
 |
Non-Cross-DSO Control-Flow Integrity (CFI) in base |
 |
 |
 |
 |
Non-Cross-DSO Control-Flow Integrity (CFI) available in ports |
 |
 |
 |
 |
Base compiled with retpoline |
 |
 |
 |
 |
Ports tree compiled with retpoline |
 |
 |
 |
 |
Intel SMAP+SMEP Support |
 |
 |
 |
 |
Userland stack zero-initialized by default |
 |
 |
 |
 |
Hardened RTLD by default |
 |
 |
 |
 |