HardenedBSD

From owner-svn-doc-all@freebsd.org Sat Jul 29 20:48:49 2017 Return-Path: Delivered-To: svn-doc-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2ECBBDCAE0B; Sat, 29 Jul 2017 20:48:49 +0000 (UTC) (envelope-from bjk@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 05A4177A46; Sat, 29 Jul 2017 20:48:48 +0000 (UTC) (envelope-from bjk@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v6TKmmxE052245; Sat, 29 Jul 2017 20:48:48 GMT (envelope-from bjk@FreeBSD.org) Received: (from bjk@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v6TKmmbJ052244; Sat, 29 Jul 2017 20:48:48 GMT (envelope-from bjk@FreeBSD.org) Message-Id: <201707292048.v6TKmmbJ052244@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: bjk set sender to bjk@FreeBSD.org using -f From: Benjamin Kaduk Date: Sat, 29 Jul 2017 20:48:48 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r50606 - head/en_US.ISO8859-1/htdocs/news/status X-SVN-Group: doc-head X-SVN-Commit-Author: bjk X-SVN-Commit-Paths: head/en_US.ISO8859-1/htdocs/news/status X-SVN-Commit-Revision: 50606 X-SVN-Commit-Repository: doc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Jul 2017 20:48:49 -0000 Author: bjk Date: Sat Jul 29 20:48:47 2017 New Revision: 50606 URL: https://svnweb.freebsd.org/changeset/doc/50606 Log: Add 2017Q2 HardenedBSD entry from Shawn Webb Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2017-04-2017-06.xml Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2017-04-2017-06.xml ============================================================================== --- head/en_US.ISO8859-1/htdocs/news/status/report-2017-04-2017-06.xml Sat Jul 29 20:12:21 2017 (r50605) +++ head/en_US.ISO8859-1/htdocs/news/status/report-2017-04-2017-06.xml Sat Jul 29 20:48:47 2017 (r50606) @@ -1861,4 +1861,140 @@ subsystem as a whole.

+ + + HardenedBSD + + + + + Shawn + Webb + + shawn.webb@hardenedbsd.org + + + + + Oliver + Pinter + + oliver.pinter@hardenedbsd.org + + + + + HardenedBSD + SafeStack + HardenedBSD Tor Hidden Service + Projects HardenedBSD Would Like Help With + + + +

HardenedBSD is a derivative of &os; that gives special attention to + security related enhancements and exploit-mitigation + technologies. The project started with Address Space Layout + Randomization (ASLR) as an initial focal point and is now + implementing further exploit mitigation techniques.

+ +

It has been a long while since HardenedBSD's laste appearance + in a quarterly status report, with the last status report + being from December of 2015. Accordingly, this status report + will be a long one!

+ +

HardenedBSD has gained Bernard Spil and Franco Fichtner + as developers on the project. Bernard has imported both + LibreSSL and OpenNTPd into base. OpenNTPd and LibreSSL have + been set as the default ntp daemon and crypto library + respectively on HardenedBSD 12-CURRENT. Franco has given the + ports hardening framework a much-needed refactor.

+ +

We introduced a new secure binary update mechanism for the + base system, hbsd-update. Our secadm + application was rewritten to be made more efficient — it + now includes a feature called Integriforce, which is similar + in scope as NetBSD's verified exec (veriexec). + Trusted Path Execution (TPE) was also introduced into + secadm.

+ +

Through extremely generous donations from G2, Inc, + HardenedBSD has a dedicated package building server, a + dedicated binary update publishing server, and several + development and test servers.

+ +

In April of 2016, we introduced full PIE support for the base + system on arm64 and amd64. In June of 2016, we started + shipping Integriforce rules for the base system in the binary + updates distributed via hbsd-update. In August of + 2016, PIE, RELRO, and BIND_NOW were enabled for the entire + ports tree, with the exception of a number of ports that have + one or more of those features explicitly disabled.

+ +

In November of 2016, we introduced SafeStack into the base + system. SafeStack is an exploit mitigation technique that + helps protect against stack-based buffer overflows. It is + developed by the Clang/LLVM community and is included, but not + used, in &os;. In order to be effective, SafeStack relies and + builds on top of Address Space Layout Randomization (ASLR). + Additionally, SafeStack is made stronger with HardenedBSD's + port of PaX NOEXEC. SafeStack is also enabled by default for + a number of high-profile ports in HardenedBSD's ports + tree.

+ +

In March of 2017, we added Control Flow Integrity (CFI) for + the base system. CFI is an exploit mitigation technique that + helps prevent attackers from modifying the behavior of a + program and jumping to undefined or arbitrary memory + locations. This type of technique is gaining adoption across + the industry — Microsoft has implemented a variant of + CFI, which they term Control Flow Guard, or CFG, and the PaX + team has spent the last few years perfecting their Reuse + Attack Protector, RAP. Of these, RAP is the most complete and + effective implementation, followed by Clang's CFI. RAP would + be a great addition to HardenedBSD; however, it requires a + GPLv3 toolchain and is patent-pending.

+ +

CFI can be implemented either on a per-DSO basis, or across + all DSOs in a process. Currently only the former is + implemented, but we are working hard to enable cross-DSO CFI. + As is the case for SafeStack, cross-DSO CFI requires both ASLR + and PaX NOEXEC in order to be effective. If the attacker + knows the memory layout of an application, the attacker might + be able to craft a data-only attack, modifying the CFI control + data.

+ +

The behavior of several system control (sysctl) + nodes has been tighened up, limiting write access and + introducing additional safety checks for write accesses. + Kernel module APIs received a similar treatment. + HardenedBSD's PaX SEGVGUARD implementation received a few + updates to make it more stable and performant.

+ +

In March of 2017, HardenedBSD is now accessible through a Tor + hidden service. The main website, binary updates, and + package distribution are all available over the hidden + service.

+ +

We now maintains our own version of the drm-next + branch for updated graphics support. Binary updates are also + provided for this branch.

+ +

HardenedBSD would like to thank all those who have generously + donated time, money, or other resources to the project.

+ + + SoldierX + + G2, Inc + + + Port SafeStack to arm64. + + Integrate Cross-DSO CFI. + + Documentation via the HardenedBSD Handbook. + + Start porting grsecurity's RBAC. + +