Mastodon#hardenedbsd

So... just found out I can watch projects on github, think I'm going to start reading random C sources from #HardenedBSD, #FreeBSD, #DragonFlyBSD, and #OpenBSD to help build up my ability to do anything useful in C. Has been fun so far looking at OpenBSD's cat(1) and cp(1)

Now with the mitigations fully completed in , it's time to update all of HardenedBSD's infrastructure.

Ah, well that's interesting. #HardenedBSD has a very differently set up boot partition than the Pinebook does usually, guess it's time to start trying some stuff

Either I did something very wrong or #HardenedBSD isn't booting on my Pinebook.... gonna try using the backup SD card I made to see if that works

Today, I finished the Stack Clash mitigations in .

Here's the highlights:

1. Default 2MB guard between the bottom-most part of the stack and other memory mappings.
2. Plug the hole that makes the guard ineffective
3. Disallow applications from requesting or being granted memory mappings within the bottom-most limit of the stack and the top of the stack.

@liate Because implementing ASLR in was Oliver's thesis research project and one of my personal goals. Out of the difficulties (and eventual failure) of upstreaming ASLR to FreeBSD was HardenedBSD born.

Now, we want to give the FreeBSD community a choice. We continue our work on to give the community a choice in security.

If you would like to help fund 's efforts and like how promptly we addressed , we accept PayPal and Bitcoin.

Our Bitcoin address: 1FmbSRvZK4yC1b6ajeZWSvYXV2nmvwdWQq

Our PayPal address: shawn.webb@hardenedbsd.org

also shows how switching to a 64-bit virtual address space is extremely beneficial in terms of security. This is why only tests on 64-bit platforms (amd64 and arm64 primarily).

More stickers ordered. My friend Pronto will be handing them out at .

One last mitigation commit in : github.com/HardenedBSD/hardene

This, in conjunction with the hardened stack guard, should fully mitigate Stack Clash in HardenedBSD.

I will be doing new builds of for the and today, which include Stack Clash mitigations and the ability to use our new signed arm64 package repo.

The RTLD NX bypass also affects , but not (on amd64 and arm64).

would like to celebrate "National FreeBSD Day" with its stack guard page disabled: qualys.com/2017/06/19/stack-cl

has it enabled by default.

We now have an official, signed package repo for 12-CURRENT !

@Zulgrib and are focused on security. on portability (but with a few PaX features ported over for security). on enterprise features (ZFS, Jails, DTrace). With being based on , you get enterprise features with enhanced security.

The first package build for has begun! Let's see how long this takes on my SoftIron Overdrive 1000.

Prepping my SoftIron OverDrive 1000 to be the official package building server for .

@l33tname Yup. And we're working towards using fully as upstream, instead of with HardenedBSD bits mixed in.