Mastodon#safestack

I've now learned both when and how creates and manages the unsafe stack. I'm now digging deep into llvm's code to learn how the rest of SafeStack is implemented. Fun stuff.

While the latest code compiles, I'm working on importing egypcio's work into a feature branch in 's ports tree.

I know I've already said this, but I'd like to thank Soft Iron again for donating an OverDrive 1000 to . It sure does help to have something better than an for porting to .

Wife's doing a sleep study tonight and I've already got my 40 hours in at work. Time to pull an all-night hackathon!

I'm being indecisive. You choose my evening:

1. Chores to make the missus happy
2. Work on porting to arm64
3. Work on building an arm64 image of

We would like to thank SoftIron for donating an OverDrive 1000 to . We'll use it to port to .

hardenedbsd.org/content/donors

It's interesting to note that (enabled by default in only) caught a stack-based buffer overflow in , but SSP (which is enabled by default in and ) didn't.

SafeStack > SSP

I'm researching now where the vulnerability lies.

Here's a screenshot of with working flawlessly. Hint: exploit mitigations like SafeStack are transparent to the user. The best security features are ones that work simply and robustly such that the user doesn't even notice. That's what we're doing in OPNsense.

mastodon.social/media/Z7at8anl

So my firewall at home is running with fully applied to both base and ports. Now that is freaking awesome!

We at are getting ready to release a formal Call For Testing (CFT) soon for applied to the ports tree. Note that SafeStack is already applied to base. Expect the CFT to go out after 17.1.7 is released.

Now that I have ported to , it's time to resume porting SafeStack to .

Here's a sneak preview of what I'm working on in .