mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-04 15:13:58 +01:00
Provide some updates
Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
Shawn Webb
parent
ac674cc796
commit
0df8cf7b52
22
Home.md
22
Home.md
@ -63,6 +63,8 @@ HardenedBSD has successfully implemented the following features:
|
||||
1. Non-Cross-DSO CFI in base
|
||||
1. Non-Cross-DSO CFI available in ports
|
||||
1. Retpoline applied to base and ports
|
||||
1. Variable auto-init applied to base and ports
|
||||
1. Link-Time Optimizations (LTO) applied to both apps and libs
|
||||
|
||||
# Generic Kernel Options
|
||||
|
||||
@ -205,6 +207,11 @@ When a process forks, the child process inherits its parent's ASLR
|
||||
settings, including deltas. Only at image activation (execve) time
|
||||
does a process receive new deltas.
|
||||
|
||||
To thwart heap spray attacks, HardenedBSD randomizes per-thread
|
||||
stacks. Effectively, every call to `mmap(MAP_STACK)` gets randomized.
|
||||
Per-thread stack randomization can be disabled on a per-process basis
|
||||
by toggling ASLR for that process.
|
||||
|
||||
## Position-Independent Executables (PIEs)
|
||||
|
||||
In order to make full use of ASLR, applications must be compiled as
|
||||
@ -421,13 +428,12 @@ yet. Cross-DSO CFI would allow functions resolved through
|
||||
`dlopen(3)`/`dlsym(3)` to work since CFI would be able to be applied
|
||||
between Dynamic Shared Object (DSO) boundaries. Significant progress
|
||||
has been made in the first half of 2018 with regards to Cross-DSO CFI.
|
||||
The base operating system can be fully compiled with Cross-DSO CFI. On
|
||||
16 Jul 2018, a pre-alpha
|
||||
[Call For
|
||||
Testing](https://hardenedbsd.org/article/shawn-webb/2018-07-16/preliminary-call-testing-cross-dso-cfi)
|
||||
was released for wider initial testing. The HardenedBSD core
|
||||
development team hopes to launch Cross-DSO CFI in base within the
|
||||
latter half of 2019.
|
||||
|
||||
The Cross-DSO CFI work was paused in 2019 and 2020. Work has resumed
|
||||
in 2021, starting with applying LTO to libraries (in addition to the
|
||||
LTO already applied to apps). When built with Cross-DSO CFI, some
|
||||
applications, like the ZFS tools, crash. Work is ongoing to determine
|
||||
the cause of the crashes and fix them.
|
||||
|
||||
# hbsdcontrol
|
||||
|
||||
@ -687,4 +693,4 @@ Thus, generating a diff between the two configuration files would result in:
|
||||
baseurl="http://updates.hardenedbsd.org/pub/HardenedBSD/updates/${branch}/$(uname -m)"
|
||||
```
|
||||
|
||||
[back to top](https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/wikis/home#)
|
||||
[back to top](https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/wikis/home#)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user