Date: Sat, 29 Jul 2017 20:48:48 +0000 (UTC) From: Benjamin Kaduk <bjk@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r50606 - head/en_US.ISO8859-1/htdocs/news/status Message-ID: <201707292048.v6TKmmbJ052244@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bjk Date: Sat Jul 29 20:48:47 2017 New Revision: 50606 URL: https://svnweb.freebsd.org/changeset/doc/50606 Log: Add 2017Q2 HardenedBSD entry from Shawn Webb Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2017-04-2017-06.xml Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2017-04-2017-06.xml ============================================================================== --- head/en_US.ISO8859-1/htdocs/news/status/report-2017-04-2017-06.xml Sat Jul 29 20:12:21 2017 (r50605) +++ head/en_US.ISO8859-1/htdocs/news/status/report-2017-04-2017-06.xml Sat Jul 29 20:48:47 2017 (r50606) @@ -1861,4 +1861,140 @@ subsystem as a whole.</p> </body> </project> + + <project cat='proj'> + <title>HardenedBSD</title> + + <contact> + <person> + <name> + <given>Shawn</given> + <common>Webb</common> + </name> + <email>shawn.webb@hardenedbsd.org</email> + </person> + + <person> + <name> + <given>Oliver</given> + <common>Pinter</common> + </name> + <email>oliver.pinter@hardenedbsd.org</email> + </person> + </contact> + + <links> + <url href="https://hardenedbsd.org/">HardenedBSD</url>; + <url href="http://clang.llvm.org/docs/SafeStack.html">SafeStack</url>; + <url href="http://t3a73imee26zfb3d.onion/">HardenedBSD Tor Hidden Service</url> + <url href="https://github.com/HardenedBSD/hardenedBSD/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22">Projects HardenedBSD Would Like Help With</url> + </links> + + <body> + <p>HardenedBSD is a derivative of &os; that gives special attention to + security related enhancements and exploit-mitigation + technologies. The project started with Address Space Layout + Randomization (ASLR) as an initial focal point and is now + implementing further exploit mitigation techniques.</p> + + <p>It has been a long while since HardenedBSD's laste appearance + in a quarterly status report, with the last status report + being from December of 2015. Accordingly, this status report + will be a long one!</p> + + <p>HardenedBSD has gained Bernard Spil and Franco Fichtner + as developers on the project. Bernard has imported both + LibreSSL and OpenNTPd into base. OpenNTPd and LibreSSL have + been set as the default <tt>ntp</tt> daemon and crypto library + respectively on HardenedBSD 12-CURRENT. Franco has given the + ports hardening framework a much-needed refactor.</p> + + <p>We introduced a new secure binary update mechanism for the + base system, <tt>hbsd-update</tt>. Our <tt>secadm</tt> + application was rewritten to be made more efficient — it + now includes a feature called Integriforce, which is similar + in scope as NetBSD's verified exec (<tt>veriexec</tt>). + Trusted Path Execution (TPE) was also introduced into + <tt>secadm</tt>.</p> + + <p>Through extremely generous donations from G2, Inc, + HardenedBSD has a dedicated package building server, a + dedicated binary update publishing server, and several + development and test servers.</p> + + <p>In April of 2016, we introduced full PIE support for the base + system on arm64 and amd64. In June of 2016, we started + shipping Integriforce rules for the base system in the binary + updates distributed via <tt>hbsd-update</tt>. In August of + 2016, PIE, RELRO, and BIND_NOW were enabled for the entire + ports tree, with the exception of a number of ports that have + one or more of those features explicitly disabled.</p> + + <p>In November of 2016, we introduced SafeStack into the base + system. SafeStack is an exploit mitigation technique that + helps protect against stack-based buffer overflows. It is + developed by the Clang/LLVM community and is included, but not + used, in &os;. In order to be effective, SafeStack relies and + builds on top of Address Space Layout Randomization (ASLR). + Additionally, SafeStack is made stronger with HardenedBSD's + port of PaX NOEXEC. SafeStack is also enabled by default for + a number of high-profile ports in HardenedBSD's ports + tree.</p> + + <p>In March of 2017, we added Control Flow Integrity (CFI) for + the base system. CFI is an exploit mitigation technique that + helps prevent attackers from modifying the behavior of a + program and jumping to undefined or arbitrary memory + locations. This type of technique is gaining adoption across + the industry — Microsoft has implemented a variant of + CFI, which they term Control Flow Guard, or CFG, and the PaX + team has spent the last few years perfecting their Reuse + Attack Protector, RAP. Of these, RAP is the most complete and + effective implementation, followed by Clang's CFI. RAP would + be a great addition to HardenedBSD; however, it requires a + GPLv3 toolchain and is patent-pending.</p> + + <p>CFI can be implemented either on a per-DSO basis, or across + all DSOs in a process. Currently only the former is + implemented, but we are working hard to enable cross-DSO CFI. + As is the case for SafeStack, cross-DSO CFI requires both ASLR + and PaX NOEXEC in order to be effective. If the attacker + knows the memory layout of an application, the attacker might + be able to craft a data-only attack, modifying the CFI control + data.</p> + + <p>The behavior of several system control (<tt>sysctl</tt>) + nodes has been tighened up, limiting write access and + introducing additional safety checks for write accesses. + Kernel module APIs received a similar treatment. + HardenedBSD's PaX SEGVGUARD implementation received a few + updates to make it more stable and performant.</p> + + <p>In March of 2017, HardenedBSD is now accessible through a Tor + hidden service. The main website, binary updates, and + package distribution are all available over the hidden + service.</p> + + <p>We now maintains our own version of the <tt>drm-next</tt> + branch for updated graphics support. Binary updates are also + provided for this branch.</p> + + <p>HardenedBSD would like to thank all those who have generously + donated time, money, or other resources to the project.</p> + </body> + + <sponsor>SoldierX</sponsor> + + <sponsor>G2, Inc</sponsor> + + <help> + <task>Port SafeStack to arm64.</task> + + <task>Integrate Cross-DSO CFI.</task> + + <task>Documentation via the HardenedBSD Handbook.</task> + + <task>Start porting grsecurity's RBAC.</task> + </help> + </project> </report>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201707292048.v6TKmmbJ052244>