diff --git a/en_US.ISO8859-1/htdocs/news/status/report-2017-04-2017-06.xml b/en_US.ISO8859-1/htdocs/news/status/report-2017-04-2017-06.xml index 457ae82d6f..e4033babc9 100644 --- a/en_US.ISO8859-1/htdocs/news/status/report-2017-04-2017-06.xml +++ b/en_US.ISO8859-1/htdocs/news/status/report-2017-04-2017-06.xml @@ -1861,4 +1861,140 @@ subsystem as a whole.

+ + + HardenedBSD + + + + + Shawn + Webb + + shawn.webb@hardenedbsd.org + + + + + Oliver + Pinter + + oliver.pinter@hardenedbsd.org + + + + + HardenedBSD + SafeStack + HardenedBSD Tor Hidden Service + Projects HardenedBSD Would Like Help With + + + +

HardenedBSD is a derivative of &os; that gives special attention to + security related enhancements and exploit-mitigation + technologies. The project started with Address Space Layout + Randomization (ASLR) as an initial focal point and is now + implementing further exploit mitigation techniques.

+ +

It has been a long while since HardenedBSD's laste appearance + in a quarterly status report, with the last status report + being from December of 2015. Accordingly, this status report + will be a long one!

+ +

HardenedBSD has gained Bernard Spil and Franco Fichtner + as developers on the project. Bernard has imported both + LibreSSL and OpenNTPd into base. OpenNTPd and LibreSSL have + been set as the default ntp daemon and crypto library + respectively on HardenedBSD 12-CURRENT. Franco has given the + ports hardening framework a much-needed refactor.

+ +

We introduced a new secure binary update mechanism for the + base system, hbsd-update. Our secadm + application was rewritten to be made more efficient — it + now includes a feature called Integriforce, which is similar + in scope as NetBSD's verified exec (veriexec). + Trusted Path Execution (TPE) was also introduced into + secadm.

+ +

Through extremely generous donations from G2, Inc, + HardenedBSD has a dedicated package building server, a + dedicated binary update publishing server, and several + development and test servers.

+ +

In April of 2016, we introduced full PIE support for the base + system on arm64 and amd64. In June of 2016, we started + shipping Integriforce rules for the base system in the binary + updates distributed via hbsd-update. In August of + 2016, PIE, RELRO, and BIND_NOW were enabled for the entire + ports tree, with the exception of a number of ports that have + one or more of those features explicitly disabled.

+ +

In November of 2016, we introduced SafeStack into the base + system. SafeStack is an exploit mitigation technique that + helps protect against stack-based buffer overflows. It is + developed by the Clang/LLVM community and is included, but not + used, in &os;. In order to be effective, SafeStack relies and + builds on top of Address Space Layout Randomization (ASLR). + Additionally, SafeStack is made stronger with HardenedBSD's + port of PaX NOEXEC. SafeStack is also enabled by default for + a number of high-profile ports in HardenedBSD's ports + tree.

+ +

In March of 2017, we added Control Flow Integrity (CFI) for + the base system. CFI is an exploit mitigation technique that + helps prevent attackers from modifying the behavior of a + program and jumping to undefined or arbitrary memory + locations. This type of technique is gaining adoption across + the industry — Microsoft has implemented a variant of + CFI, which they term Control Flow Guard, or CFG, and the PaX + team has spent the last few years perfecting their Reuse + Attack Protector, RAP. Of these, RAP is the most complete and + effective implementation, followed by Clang's CFI. RAP would + be a great addition to HardenedBSD; however, it requires a + GPLv3 toolchain and is patent-pending.

+ +

CFI can be implemented either on a per-DSO basis, or across + all DSOs in a process. Currently only the former is + implemented, but we are working hard to enable cross-DSO CFI. + As is the case for SafeStack, cross-DSO CFI requires both ASLR + and PaX NOEXEC in order to be effective. If the attacker + knows the memory layout of an application, the attacker might + be able to craft a data-only attack, modifying the CFI control + data.

+ +

The behavior of several system control (sysctl) + nodes has been tighened up, limiting write access and + introducing additional safety checks for write accesses. + Kernel module APIs received a similar treatment. + HardenedBSD's PaX SEGVGUARD implementation received a few + updates to make it more stable and performant.

+ +

In March of 2017, HardenedBSD is now accessible through a Tor + hidden service. The main website, binary updates, and + package distribution are all available over the hidden + service.

+ +

We now maintains our own version of the drm-next + branch for updated graphics support. Binary updates are also + provided for this branch.

+ +

HardenedBSD would like to thank all those who have generously + donated time, money, or other resources to the project.

+ + + SoldierX + + G2, Inc + + + Port SafeStack to arm64. + + Integrate Cross-DSO CFI. + + Documentation via the HardenedBSD Handbook. + + Start porting grsecurity's RBAC. + +