We mostly finished the backport of our 11-CURRENT patches to 10-STABLE this week. This means that those who have a preference not to use 11-CURRENT (and we don't blame them) can now have the comfort of having exploit mitigation features in a more stable branch. The backport is currently in an experimental branch (hardened/experimental/10-stable) but will be promoted to a stable branch (hardened/10-stable/master) in around a month if we deem it to be stable. We will soon be providing amd64 packages as well.
We're excited to announce the release of secadm version 0.2! We've been working hard on a new star feature: Integriforce. Read on for the full change log and download links.
Over the past few months, Oliver has been busy writing a new exploit mitigation feature for HardenedBSD: NoExec. The first part of this project was merged into master tree, and there are still ongoing issues to solve. Our implementation is inspired by PaX's. NoExec prevents pages that are marked as writable from being marked executable as well.
Our security administration project, secadm, has gained a new feature, which we call Integriforce (short for "Integrity Enforce"). Integriforce verifies file integrity prior to execution, similar to NetBSD's Veriexec. This post is a Call For Testing of that feature.
John-Mark Gurney of the FreeBSD development team announced a vulnerability affecting the FreeBSD Random Number Generator (RNG) code in 11-CURRENT. Since HardenedBSD is based on 11-CURRENT, HardenedBSD is affected. Read on for further details and remediation steps.
It is my pleasure to formally announce the first release of our Security Administration project, known as secadm. Version 0.1 is now available and can be downloaded here along with its GPG signature here. Read on for the full release notes.
Word got out that we didn't support SSL/TLS on our site due to lack of funding. A couple companies reached out to us to offer us free SSL/TLS certificates. Thanks to DigiCert, as of today, HardenedBSD's main site and package repository is now running SSL/TLS! We will update our Jenkins server with SSL/TLS over the next week. We've also started signing all the release media in our nightly builds with a GPG key created for the dev team. The GPG key's Key ID is 0xE57D5B654BB5228E and its fingerprint is 2FB0 10E7 4676 C06C 23C5 7687 E57D 5B65 4BB5 228E.
We're proud to release the first release candidate of secadm 0.1. We've added a few new features and fixed a few bugs. Continue reading for the changelog and download links.