We are excited to announce SafeStack in HardenedBSD base, along with the availability of SafeStack in ports! SafeStack is part of the Code Pointer Integrity (CPI) project within clang. For those running HardenedBSD 12-CURRENT (the hardened/current/master branch) on amd64, you can enjoy the benefits of SafeStack. Simply sync your source tree and rebuild world (you'll likely want to rebuild kernel to match world, of course). SafeStack is enabled by default for amd64 only. It is not ready for other architectures (like aarch64). Additionally, SafeStack is only applicable to applications, not shared objects.

Since SafeStack is still in early stages of development, we will not be enabling SafeStack globally for ports like we do with PIE and RELRO+BIND_NOW. Instead, we will add a flag to commonly-used ports entries that will tell our ports hardening framework to use SafeStack for that port. Users always have the option to opt-in or out a port via the config.

As the lld project becomes more mature, we'll make sure to test other CPI features. We hope to incorporate more CPI features in the future.

UPDATE 28 November 2016 - More Info:
Not many people may know what SafeStack is. Below is more information.

SafeStack is an exploit mitigation technique that creates two stacks: one for data that needs to be kept safe, such as return addresses and function pointers; and an unsafe stack for everything else. SafeStack promises a low performance penalty (typically around 0.1%).

SafeStack requires both ASLR and W^X in order to be effective. With HardenedBSD satisfying both of those prerequisites, SafeStack was deemed to be an excellent candidate for default inclusion in HardenedBSD. Starting with HardenedBSD 12-CURRENT, it is enabled by default for amd64. Support for non-amd64 architectures is limited by upstream clang.

As of 28 November 2016, with clang 3.9.0, SafeStack only supports being applied to applications and not shared libraries. Multiple patches have been submitted to clang by third parties to add support for shared libraries. As such, SafeStack is still undergoing active development.

SafeStack has been made available to the HardenedBSD ports tree as well. Unlike PIE and RELRO+BIND_NOW, it is not enabled globally for the ports tree. Some ports, like ports-mgmt/pkg have SafeStack enabled by default. Only those ports that have been tested to work fine will have SafeStack enabled by default. Users are able to toggle SafeStack by using the config target. Additionally, the SafeStack option is only applicable to amd64 architectures. Attempting to enable SafeStack for a non-amd64 port build will result in a NO-OP. SafeStack will simply not be applied.

Here's some good weekend reading for you if you'd like more info about SafeStack and CFI/CPI in general:

1. SafeStack - Clang documentation
2. Fine-Grained Control-Flow Integrity through Binary Hardening (PDF)
3. Control-Flow Bending: On the Effectiveness of Control-Flow Integrity (PDF
4. Code-Pointer Integrity (PDF)

HardenedBSD-11-STABLE-v46.10 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update

Highlights:

• Update ntpd to 4.2.8p9 (db75d5027e10e6a41b54cb66e21f2fe7480a1618) [FreeBSD-SA-Candidate]
• Initialize reserved bytes in struct mq_attr (a0c278e1ff9e12b0d2716d96eab8499cd124918b) [FreeBSD-SA-Candidate]
• Increase the max allowed size of the microcode update blob for x86. (01d99faedd3455353cd536056c4aeb3f97086cc0)
• HyperV updates
• ZFS updates
• VM updates
• tzdata update

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v46.10-amd64-bootonly.iso) = b044feffd705ac9aa12f5c9fb9a6c3696353dddfe5bf398968b2cadb02e086b964c2010736232d10c08087ee9ff0f86658415a3d401d1d3f8ea5424f06b33060
SHA512 (HardenedBSD-11-STABLE-v46.10-amd64-disc1.iso) = 35d96229be27bcd1c538875becbf9078b5d727657ebac0584799e1a45c791ab9f013837ab4177415477bd4cca599fa657176267407b464b46dd693a075a647a2
SHA512 (HardenedBSD-11-STABLE-v46.10-amd64-memstick.img) = 61f92489daab8c6eb5cbb6d9ee31a040f1603b55a26d3049cda9507e9c374dcfb7fb83e876cdf9f07fb93966a5565dd50b14d95357d9687541d3782c4562b88e
SHA512 (HardenedBSD-11-STABLE-v46.10-amd64-mini-memstick.img) = 0364d36957814afa094d19603c30839c7caed783254e8f1b5de4b893493641386370f678a0c9ce8321be0b5be260c5bc231db55c73f401c2469e29a83366892f


CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlg2BSYACgkQgZsRom/9
GI0wnxAAwmJq7LA9WSfSUQixeHqGCXcu6XyoxZJbvluKdbZsacFZYjd4G/wYGYQx
YKZ3ShHTzJIJAbpPg0a2OfNDMtFa20YX/mhcU3/qW9gZMzKMVdO4lAMYFokAQQDL
GCvtzh4QY+XRDhbI3RXr16bYsOSFSjDci7mX1RBui+U3ER7pzcymPuOO8703Rewh
+pffiHSlFragITJo8PDZMLwFwWeq4G92g1YODmrADYzxPDuBF9+ax8Ysgq4nzqPr
mdg/JyLRpz/WE1XSsGuZB6r5yi5CV/XLJb9mBnLXRQyRvHe+zMqO3uvLr1mdcIZV
/TTleLL32FVQXf2+UXfs6w8qy4kqUZT6kLUecV1dixc6HXk4YGkrKLrahKKQWe/Q
lxUo6JhMxQbQCZJY18gDEMiH4kpSmb161BXAjmWHon2vhqCkLnOYxo1tbrEDof6i
Ndz8F9C5MsuZg9a5cnwxKW7xWE0dV7rjMxLQ1dooil1MVRY0Ap7jO3HsyuHiZskU
m+YObvCMHTFbuX/Qrag/f1t6Q1sWvaUSL0o7l2hRS2XSPnaKE1IomPK1i0oJtIKE
DE3Hg6ydL5zQOzkOoC3Gs092Y/RATfw/7SRdwtFrPt+zmFnzK581VFLfqMyvY3lT
Pg3niuMPETIbpWiVcGJGYuFSew/52FCFbHisrMX/367XPThQqww=
=AM8E
-----END PGP SIGNATURE-----

HardenedBSD-10-STABLE-v46.17 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

WARNING: this is a security update

Highlights:

• OpenSSL: Don't allow too many consecutive warning alerts. CVE-2016-8610 (3944e88fda9dc9f4f391a06b18cd7583f783e8ec) [FreeBSD-SA-16:35.openssl]
• MFC r308197: MFV r308196: Fix OpenSSH remote Denial of Service vulnerability. CVE-2016-8858 (bb8c1d3b5e1d1ff2b26db3fcd0ca74e6418a4908) [FreeBSD-SA-16:33.openssh]
• MFC r307132: Use copyout() instead of pointing sbuf to user-space buffer. (1e74d3419b0da1ebb8106c23763e29c3ddacfc5a)

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v46.17-amd64-bootonly.iso) = aad9e8d4c879e77aebe8f6da63654f5f3a5b8fc1dd67cf20e158d537255ca2d0ca1ec9752814a0b7466231e4e49a61be31cc8b9d00e8ceae4f5bf5991a246626
SHA512 (HardenedBSD-10-STABLE-v46.17-amd64-disc1.iso) = 4cfb825fad4c9bf2872d3da3aa8e9ec0e58ac9eb75441c9af87f062cf9a6a5353340984d59efeaf906bb184e15b574d82e908d868c45fc7fe6885a326c59972e
SHA512 (HardenedBSD-10-STABLE-v46.17-amd64-memstick.img) = e1287439ab32fe7cc8738ff35b2c6fa7faf8960b85104512a28bb5bb3c39ec07c30669e19cb8bf6223e85cce0286a33927f52c38522efde5c92c7a4c103bbc65
SHA512 (HardenedBSD-10-STABLE-v46.17-amd64-mini-memstick.img) = f14b0dbe4c2af31a02a8d919fd8ffaf0835a3ac4ff59330a51bb38ba993ea963493e48fabe9c89c564be46eacb0506d060e45356e319315c0d6f94dea28eab12
SHA512 (HardenedBSD-10-STABLE-v46.17-amd64-uefi-bootonly.iso) = 05170a1ea94e3b828ba501a76bf544d7c3082539b7ed0c555381c0c53faa878e103d2faf155fcda8d705ebefb8e0b4e08288a56e9412f1c8d15b7bd771c9a5cc
SHA512 (HardenedBSD-10-STABLE-v46.17-amd64-uefi-disc1.iso) = 36e8325dc103e12472b0a68ccae88ff632400fb9fc70f77857ee757c33342ab0f22f877801384ecc39cd77dbccf1e2cc78cf0564b0d86a3f3d225cc6fcded5c3
SHA512 (HardenedBSD-10-STABLE-v46.17-amd64-uefi-memstick.img) = 58d1abe6a6e55d88e77840a4ea804c0b789b79981f11a1c0ee4d4c0ec8ddecd3dbf6754d97f254d06bfeabdd0ffa725c6d76150ecd64604c85b23760ddbd92ef
SHA512 (HardenedBSD-10-STABLE-v46.17-amd64-uefi-mini-memstick.img) = 7cae17f04dec06c67f4307dc12114897fd87560a5dcf800b79497316ca328abbcaba2406daf9d4bb1e728f5b50741ee9217215b2bd425aa9bd32309328d8173e


CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----

iQIcBAABCAAGBQJYGdoMAAoJEIGbEaJv/RiNyWIQAMVKOe8zAIrAQLiIvx2GqGMp
JluKdh5+dgRcDlDXBrnbpWthsCNx22zfIYfPKezH7qVdd+yIMAI5pr3K19IADWDb
JkJjAishvAnxmUsF0MjLuk7zWkuKmxpN7ZBRTZUrSkN6qzQqvelK68NPi+fXCJJr
62kMOmoQfmswNu9SzCAPCSN9eSsg2f4F36oYLCiHsVAybWhyDWiikJLii74cCOVx
YgSSnLU07mDhq3DKHV5l41lKHtGEL99UwoaVT0fdQrPqf/saSb0Pw7Z019cOeg7e
vq4o+uAKgbPe6w+QUAYnc6hNU5w/md1ljP5cXHGg1GkXw5sHVXnvbS871/4tyghx
v05MOeM1srHyLkv0EznA/raWfs2okZ7P59pCrNvd9FYeJquk4dk7ItSF20fStoEm
RN1g6cCrLwtfzKNWKaP66vnLjtdZt4kKTkSvXomIzJlI4mHAWIAxH430/zqOEy4O
QUWrN3I7FHA3O0HCVdEm6fcyMmlL6YN5Cb9waMyDMM/jZX/ZePnpgZd7S2o1nRpa
HxkpIllpsclYr0cEzGwucdSWOUUf2xYvnjF5P5koaUI/B98ZfDS8j1oBqvizJtGf
ArWZsGlrPmSZkJF5LiB0nJ7d2JBESB5CrAKpcEN1hfskLnyQWEfyFlpDLNJydW4u
XGtCwRGzoGcaFGir3D1g
=z6fM
-----END PGP SIGNATURE-----

HardenedBSD-10-STABLE-v46.16 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

Warning: this is a security update!

Highlights:

• The argument validation in r296956 was not enough to close all possible overflows in sysarch(2). (c4ea095d31613b4c6ba16691ee347e97ed30899f) [FreeBSD SA-16:15]
• HBSD MFC: MFV r307859: Update libarchive to 3.2.2 (e80aebeed4230b7c49bbfcaa58a20d666dc3983f) [FreeBSD SA Candidate]
• Lot of hyper-v update
• Lot of ZFS update

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-10-STABLE-v46.16-amd64-bootonly.iso) = 5d77d660366900d971d7de05fdb9118370b387f03035ee906fc761cc28bb44f2a962e40df68e0bc614f1bb4e395728c4dcfac414afc513b2be1570b164f82523
SHA512 (HardenedBSD-10-STABLE-v46.16-amd64-disc1.iso) = 6103602bfc3769ae9f0e334b1b8f8ea793bbd71c698fc8fd85ed5b90c2ddbf24e21e553884810fa78d77ea67653ce014621d9bdc0d3e5e54cecb02cffea6e964
SHA512 (HardenedBSD-10-STABLE-v46.16-amd64-memstick.img) = 82711413b5f1452e1ab05dcd3b1f499091a44dea5e49d4f4ec0d3e7eed783dd20af34404c1ca22786962da6e6d089544dd8c7b9a86c55d9d0bf300038a518f94
SHA512 (HardenedBSD-10-STABLE-v46.16-amd64-mini-memstick.img) = f54fab1ad12985c141a05c68c417ec16f24397738a4132745001c40c6ff0d468baa3ee870d523b7f9d6c5ecb8de3c3d9dfcc39b952037374a7b82409ca154425
SHA512 (HardenedBSD-10-STABLE-v46.16-amd64-uefi-bootonly.iso) = d1f1e5fa15a22fa30388e1fd048f0632d223bb06d0b8fb74c7cae6fe8ea5e6a3de2ac813e53d12cd4c2947190135eee5322b34c04981b18a81c26d9180e3af1d
SHA512 (HardenedBSD-10-STABLE-v46.16-amd64-uefi-disc1.iso) = 435954520a1f166b35570c11c4f4557554973e8f3c13d753c296dfc675f469513291d989b1befb7ad7449b12e2901e97d650bf5dd93344044d1ef0846aec369b
SHA512 (HardenedBSD-10-STABLE-v46.16-amd64-uefi-memstick.img) = 8714b6027aec32e82490aa6db21cd7c1a2f8fc3e44321d0a7429063649941524d42b8e6d1b4490f3a3d45a6c23e3f4ca62da03ac9d72d78aaa1d19c1f9162cf1
SHA512 (HardenedBSD-10-STABLE-v46.16-amd64-uefi-mini-memstick.img) = f64e4f3914c48f8e100901f0597b6623c3e1987ead9de6bb1f1e210d61e87078b2262c729ff457018e050f1a661d4fa8371ef62d5f06a1458988c7eccb2956aa


CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAABCAAGBQJYD+CEAAoJEIGbEaJv/RiNOakQAN5/90Bl/vqR2qAYb+Sm1D6+
DGeL17XVBw5uALIwvPNk6VkqoFCHgi4RqG6FnYL6b0SCPRy6YDCOESGGfmvse/hT
rHNkDOm49kVg+AhNYVWla7gRjM8BbCznEh6wBAcxKSfKUXIy1fDua/WMPEsdu8S1
PPEe7/dQlaOnopcZoXvFfxxrHK4POu7Lkv79f9dSNh22xhZaAabOV4TnVhdGDAi+
bxjVs7OtZXaVCi7bHINoOiQojIgvw68iz76ye7v8/6Vef1TQD89N8mjycexGJXOs
A4i9wMBSIDzDR6vG8WGGOXNX44gTF2miSDwS5EL7sz9a9Cpb3PON1ffVTvsTlSih
n9VFVkdqhUR9gUMhI5nExJnI3PMYwJ6/j+o/z2zSFX8OjdjGypJu8ezvskZNmUPT
mFQAHzkH/b1jlQm3uoQRckj2u1akxdT2NUi7KNeQgZZGxhtkz61ONDoToL7TmCx2
VtLru9GeJAOASL27f4K7xkBlE0it/cVSz/JtYsT66JtvoV28Rxze29gGL7ZMPj3S
QGPYFCOWYAMxBcxRPYgJJG92aP09HYUbHpMyuyC+G+Qso1B3kgI3+vQoWKdKdML/
DFgQzMI0VSMX+uBYw7+jyRA1lWFTBQWQSZOQb5l6Slk6tWeeclGmcoKjl94hpbNx
4H5Ulmo66e2MGE0yQAE7
=y+h9
-----END PGP SIGNATURE-----

HardenedBSD-11-STABLE-v46.7 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...

WARNING: this is a security update!

Highlights:

• added evdev support by upstream (disabled yet in HARDENEDBSD kernel configs)
• unbound 1.5.10
• Use M_WAITOK in PIO_KEYMAP ioctl (afa321ab9cf9b79fcd4313542f7ab28c85bbcc7a) [FreeBSD SA Candidate]
• EFI related changes by upstream
• hyperv updates by upstream
• ZFS updates by upstream
• CloufABI updates by upstream

Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...

CHECKSUM.SHA512:

SHA512 (HardenedBSD-11-STABLE-v46.7-amd64-bootonly.iso) = a0f656e33b0c48223d2f9c769a9d872c846e6d541571b2d74f3092b3ded69a7e15309e8a748dd778139c7d86c7c27b1e965a9d3bc7d8c3ae24d5c0a34a069e03
SHA512 (HardenedBSD-11-STABLE-v46.7-amd64-disc1.iso) = 136e50041c9762ee210f807c078d485225e862020954259ae4164b7a34991a1e79839625a52b06bfc9bfb956b7ddd03d536e92b52a5c3e5a1929c1381969070c
SHA512 (HardenedBSD-11-STABLE-v46.7-amd64-memstick.img) = 21e2028f3d202b9ebbd1c8676b59e3ed165493424980dee9f13d1794acd37cb71c7f04c5d14b0ee95c2e543bac3395a996f8a50568c2d7b216c37ed511febc91
SHA512 (HardenedBSD-11-STABLE-v46.7-amd64-mini-memstick.img) = 24c2bda9d60a2abe127091684e8db98ea5de5b60ef079298cb4c2a8adfe7e23c7017ed14a77a1cff32210af3a18e7dfd7619286b1ca988314e2cdb50e42ed3d9


CHECKSUM.SHA512.asc:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAABCAAGBQJYC7LnAAoJEIGbEaJv/RiNuYwQAN/UJanTGDTY4Z2ts0IidfCk
u4fH7Ml7J7bEYEWWYLspFOb3wY+8Bi5FbVs5rts8h5Kt2DullgCXuAf5qmOsyXcd
xMclSdsmbw92FNvoCnPpJ2qmrAvuary2BkkeFVithmRAkqa8BBDM3iLu0HZBgMgU
l8jOrVNM+o3C5qUaYsysQnIswzZbUVP2NHXVzwGeuTtlIKYYnIIwI12RErmlGZBo
1blzuTaWzfmT8vGMPl8P+IwEOf553Y9QvLa28fuY3BmqHEO5euD1Sa10+OK9CEoZ
dD0APbHwNo0Ibj2BOkScuBGBS3+0VPZ5J0AfDudODqPIozbcDRw0Av7A7i1RspNi
BNvIrn2Pr5SNao2NtGBmXSfQN7FBUiBa6vUUIyGDTtOcIlcViZEy50Tf8FNFZjjP
eVfuvwZTE05nENL6k5JAPZLfV4OrWXpfxcu8hT8x9fZ0nb27DldBaID3vYUfGdI+
maTnV+y7EIe3YNo/V9h9fAqtwZebBUKB7m67/k7xvd5/cJPCVeeIIeIPuVfpZji+
RFC1JBHCQDb5HA8inadg5lAq+fzmv2wDoHozS0JZBBR9/fe/HwizOEiRf/7DhE7P
K+e6NuzVRxz3LEx5xwKocPXFJ8EjWO61Qu5bPE5QgSTPwMJK+zmioELxNuPcNoTw
B6cioOaYnPtqHHRcLgl7
=U9ny
-----END PGP SIGNATURE-----