svn commit: r50606 - head/en_US.ISO8859-1/htdocs/news/status

Benjamin Kaduk bjk at
Sat Jul 29 20:48:49 UTC 2017

Author: bjk
Date: Sat Jul 29 20:48:47 2017
New Revision: 50606

  Add 2017Q2 HardenedBSD entry from Shawn Webb


Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2017-04-2017-06.xml
--- head/en_US.ISO8859-1/htdocs/news/status/report-2017-04-2017-06.xml	Sat Jul 29 20:12:21 2017	(r50605)
+++ head/en_US.ISO8859-1/htdocs/news/status/report-2017-04-2017-06.xml	Sat Jul 29 20:48:47 2017	(r50606)
@@ -1861,4 +1861,140 @@
       subsystem as a whole.</p>
+  <project cat='proj'>
+    <title>HardenedBSD</title>
+    <contact>
+      <person>
+	<name>
+	  <given>Shawn</given>
+	  <common>Webb</common>
+	</name>
+	<email>shawn.webb at</email>
+      </person>
+      <person>
+	<name>
+	  <given>Oliver</given>
+	  <common>Pinter</common>
+	</name>
+	<email>oliver.pinter at</email>
+      </person>
+    </contact>
+    <links>
+      <url href="">HardenedBSD</url>
+      <url href="">SafeStack</url>
+      <url href="http://t3a73imee26zfb3d.onion/">HardenedBSD Tor Hidden Service</url>
+      <url href="">Projects HardenedBSD Would Like Help With</url>
+    </links>
+    <body>
+      <p>HardenedBSD is a derivative of &os; that gives special attention to
+	security related enhancements and exploit-mitigation
+	technologies.  The project started with Address Space Layout
+	Randomization (ASLR) as an initial focal point and is now
+	implementing further exploit mitigation techniques.</p>
+      <p>It has been a long while since HardenedBSD's laste appearance
+	in a quarterly status report, with the last status report
+	being from December of 2015.  Accordingly, this status report
+	will be a long one!</p>
+      <p>HardenedBSD has gained Bernard Spil and Franco Fichtner
+	as developers on the project.  Bernard has imported both
+	LibreSSL and OpenNTPd into base.  OpenNTPd and LibreSSL have
+	been set as the default <tt>ntp</tt> daemon and crypto library
+	respectively on HardenedBSD 12-CURRENT.  Franco has given the
+	ports hardening framework a much-needed refactor.</p>
+      <p>We introduced a new secure binary update mechanism for the
+	base system, <tt>hbsd-update</tt>.  Our <tt>secadm</tt>
+	application was rewritten to be made more efficient — it
+	now includes a feature called Integriforce, which is similar
+	in scope as NetBSD's verified exec (<tt>veriexec</tt>).
+	Trusted Path Execution (TPE) was also introduced into
+	<tt>secadm</tt>.</p>
+      <p>Through extremely generous donations from G2, Inc,
+	HardenedBSD has a dedicated package building server, a
+	dedicated binary update publishing server, and several
+	development and test servers.</p>
+      <p>In April of 2016, we introduced full PIE support for the base
+	system on arm64 and amd64.  In June of 2016, we started
+	shipping Integriforce rules for the base system in the binary
+	updates distributed via <tt>hbsd-update</tt>.  In August of
+	2016, PIE, RELRO, and BIND_NOW were enabled for the entire
+	ports tree, with the exception of a number of ports that have
+	one or more of those features explicitly disabled.</p>
+      <p>In November of 2016, we introduced SafeStack into the base
+	system.  SafeStack is an exploit mitigation technique that
+	helps protect against stack-based buffer overflows.  It is
+	developed by the Clang/LLVM community and is included, but not
+	used, in &os;.  In order to be effective, SafeStack relies and
+	builds on top of Address Space Layout Randomization (ASLR).
+	Additionally, SafeStack is made stronger with HardenedBSD's
+	port of PaX NOEXEC.  SafeStack is also enabled by default for
+	a number of high-profile ports in HardenedBSD's ports
+	tree.</p>
+      <p>In March of 2017, we added Control Flow Integrity (CFI) for
+	the base system.  CFI is an exploit mitigation technique that
+	helps prevent attackers from modifying the behavior of a
+	program and jumping to undefined or arbitrary memory
+	locations.  This type of technique is gaining adoption across
+	the industry — Microsoft has implemented a variant of
+	CFI, which they term Control Flow Guard, or CFG, and the PaX
+	team has spent the last few years perfecting their Reuse
+	Attack Protector, RAP.  Of these, RAP is the most complete and
+	effective implementation, followed by Clang's CFI.  RAP would
+	be a great addition to HardenedBSD; however, it requires a
+	GPLv3 toolchain and is patent-pending.</p>
+      <p>CFI can be implemented either on a per-DSO basis, or across
+	all DSOs in a process.  Currently only the former is
+	implemented, but we are working hard to enable cross-DSO CFI.
+	As is the case for SafeStack, cross-DSO CFI requires both ASLR
+	and PaX NOEXEC in order to be effective.  If the attacker
+	knows the memory layout of an application, the attacker might
+	be able to craft a data-only attack, modifying the CFI control
+	data.</p>
+      <p>The behavior of several system control (<tt>sysctl</tt>)
+	nodes has been tighened up, limiting write access and
+	introducing additional safety checks for write accesses.
+	Kernel module APIs received a similar treatment.
+	HardenedBSD's PaX SEGVGUARD implementation received a few
+	updates to make it more stable and performant.</p>
+      <p>In March of 2017, HardenedBSD is now accessible through a Tor
+	hidden service.  The main website, binary updates, and
+	package distribution are all available over the hidden
+	service.</p>
+      <p>We now maintains our own version of the <tt>drm-next</tt>
+	branch for updated graphics support.  Binary updates are also
+	provided for this branch.</p>
+      <p>HardenedBSD would like to thank all those who have generously
+	donated time, money, or other resources to the project.</p>
+    </body>
+    <sponsor>SoldierX</sponsor>
+    <sponsor>G2, Inc</sponsor>
+    <help>
+      <task>Port SafeStack to arm64.</task>
+      <task>Integrate Cross-DSO CFI.</task>
+      <task>Documentation via the HardenedBSD Handbook.</task>
+      <task>Start porting grsecurity's RBAC.</task>
+    </help>
+  </project>

More information about the svn-doc-all mailing list