os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add 2017Q2 HardenedBSD entry from Shawn Webb

Browse source
This commit is contained in:
Benjamin Kaduk 2017-07-29 20:48:47 +00:00
parent 2aa1ec1942
commit 6626ed0a0f
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=50606
1 changed files with 136 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

136
en_US.ISO8859-1/htdocs/news/status/report-2017-04-2017-06.xml
View file

@ -1861,4 +1861,140 @@
subsystem as a whole.</p>
</body>
</project>
<project cat='proj'>
<title>HardenedBSD</title>
<contact>
<person>
<name>
<given>Shawn</given>
<common>Webb</common>
</name>
<email>shawn.webb@hardenedbsd.org</email>
</person>
<person>
<name>
<given>Oliver</given>
<common>Pinter</common>
</name>
<email>oliver.pinter@hardenedbsd.org</email>
</person>
</contact>
<links>
<url href="https://hardenedbsd.org/">HardenedBSD</url>
<url href="http://clang.llvm.org/docs/SafeStack.html">SafeStack</url>
<url href="http://t3a73imee26zfb3d.onion/">HardenedBSD Tor Hidden Service</url>
<url href="https://github.com/HardenedBSD/hardenedBSD/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22">Projects HardenedBSD Would Like Help With</url>
</links>
<body>
<p>HardenedBSD is a derivative of &os; that gives special attention to
security related enhancements and exploit-mitigation
technologies. The project started with Address Space Layout
Randomization (ASLR) as an initial focal point and is now
implementing further exploit mitigation techniques.</p>
<p>It has been a long while since HardenedBSD's laste appearance
in a quarterly status report, with the last status report
being from December of 2015. Accordingly, this status report
will be a long one!</p>
<p>HardenedBSD has gained Bernard Spil and Franco Fichtner
as developers on the project. Bernard has imported both
LibreSSL and OpenNTPd into base. OpenNTPd and LibreSSL have
been set as the default <tt>ntp</tt> daemon and crypto library
respectively on HardenedBSD 12-CURRENT. Franco has given the
ports hardening framework a much-needed refactor.</p>
<p>We introduced a new secure binary update mechanism for the
base system, <tt>hbsd-update</tt>. Our <tt>secadm</tt>
application was rewritten to be made more efficient &mdash; it
now includes a feature called Integriforce, which is similar
in scope as NetBSD's verified exec (<tt>veriexec</tt>).
Trusted Path Execution (TPE) was also introduced into
<tt>secadm</tt>.</p>
<p>Through extremely generous donations from G2, Inc,
HardenedBSD has a dedicated package building server, a
dedicated binary update publishing server, and several
development and test servers.</p>
<p>In April of 2016, we introduced full PIE support for the base
system on arm64 and amd64. In June of 2016, we started
shipping Integriforce rules for the base system in the binary
updates distributed via <tt>hbsd-update</tt>. In August of
2016, PIE, RELRO, and BIND_NOW were enabled for the entire
ports tree, with the exception of a number of ports that have
one or more of those features explicitly disabled.</p>
<p>In November of 2016, we introduced SafeStack into the base
system. SafeStack is an exploit mitigation technique that
helps protect against stack-based buffer overflows. It is
developed by the Clang/LLVM community and is included, but not
used, in &os;. In order to be effective, SafeStack relies and
builds on top of Address Space Layout Randomization (ASLR).
Additionally, SafeStack is made stronger with HardenedBSD's
port of PaX NOEXEC. SafeStack is also enabled by default for
a number of high-profile ports in HardenedBSD's ports
tree.</p>
<p>In March of 2017, we added Control Flow Integrity (CFI) for
the base system. CFI is an exploit mitigation technique that
helps prevent attackers from modifying the behavior of a
program and jumping to undefined or arbitrary memory
locations. This type of technique is gaining adoption across
the industry &mdash; Microsoft has implemented a variant of
CFI, which they term Control Flow Guard, or CFG, and the PaX
team has spent the last few years perfecting their Reuse
Attack Protector, RAP. Of these, RAP is the most complete and
effective implementation, followed by Clang's CFI. RAP would
be a great addition to HardenedBSD; however, it requires a
GPLv3 toolchain and is patent-pending.</p>
<p>CFI can be implemented either on a per-DSO basis, or across
all DSOs in a process. Currently only the former is
implemented, but we are working hard to enable cross-DSO CFI.
As is the case for SafeStack, cross-DSO CFI requires both ASLR
and PaX NOEXEC in order to be effective. If the attacker
knows the memory layout of an application, the attacker might
be able to craft a data-only attack, modifying the CFI control
data.</p>
<p>The behavior of several system control (<tt>sysctl</tt>)
nodes has been tighened up, limiting write access and
introducing additional safety checks for write accesses.
Kernel module APIs received a similar treatment.
HardenedBSD's PaX SEGVGUARD implementation received a few
updates to make it more stable and performant.</p>
<p>In March of 2017, HardenedBSD is now accessible through a Tor
hidden service. The main website, binary updates, and
package distribution are all available over the hidden
service.</p>
<p>We now maintains our own version of the <tt>drm-next</tt>
branch for updated graphics support. Binary updates are also
provided for this branch.</p>
<p>HardenedBSD would like to thank all those who have generously
donated time, money, or other resources to the project.</p>
</body>
<sponsor>SoldierX</sponsor>
<sponsor>G2, Inc</sponsor>
<help>
<task>Port SafeStack to arm64.</task>
<task>Integrate Cross-DSO CFI.</task>
<task>Documentation via the HardenedBSD Handbook.</task>
<task>Start porting grsecurity's RBAC.</task>
</help>
</project>
</report>