Encryption and Signing

Word got out that we didn't support SSL/TLS on our site due to lack of funding. A couple companies reached out to us to offer us free SSL/TLS certificates. Thanks to DigiCert, as of today, HardenedBSD's main site and package repository is now running SSL/TLS! We will update our Jenkins server with SSL/TLS over the next week. We've also started signing all the release media in our nightly builds with a GPG key created for the dev team. The GPG key's Key ID is 0xE57D5B654BB5228E and its fingerprint is 2FB0 10E7 4676 C06C 23C5 7687 E57D 5B65 4BB5 228E.

Introducing secadm 0.1-beta1

When we first introduced our ASLR patch upstream to FreeBSD, we provided a mechanism via ugidfw for system administrators and users to toggle ASLR and other security features on a per-binary basis. However, this mechanism was more of a hack than a production-ready solution. We have been hard at work to rearchitect a new production-ready implementation. We designed an application that we like to call secadm, short for Security Administration. This application will serve as the basis for advanced administration of the security features we implement in HardenedBSD. Read on for the full release announcement.


Shared Object Load Order Randomization

As we mentioned in our blog article about the Offset2lib attack, we wanted to make our ASLR a little more secure against these types of attacks. One of the ways we can strengthen our ASLR implementation is by randomization the order in which shared objects get loaded when a program starts up. This removes one more piece of determinism and can further frustrate an attacker. We've now implemented it.



Our website and its database server will be undergoing routine maintenance this weekend. Please expect some downtime. Our build server will still be up if you need to grab builds. Thank you for your patience.

HardenedBSD and the Offset2lib Attack

The recently disclosed offset2lib attack against Linux's default ASLR implementation has generated a lot of chatter. As mentioned in the paper, ASLR implementations based off of PaX's--which is the case for HardenedBSD--are generally secured against this attack. Our whitepaper describes how we calculate separate offsets for the execution base, mmap, and the stack.

Package Building Infrastructure Maintenance

HardenedBSD is growing, thanks to our donors. We've built a new server and thanks to a generous donation, we have a hosted second server. One server is generating nightly builds (our Jenkins instance) and the other is a development workhorse and is responsible for our package building. Our old server took 3.5 hours to do a buildworld+buildkernel just for amd64 and around 75-80 hours for a package build for amd64. Our new server takes 3.5 hours to do a buildworld+buildkernel+release for amd64, i386. and beaglebone black and does a package build in around 50 hours. The core team and the developers at HardenedBSD would like to thank all who have donated (and those who will donate in the future). Read on to learn our plans for our package repos.



Subscribe to HardenedBSD RSS