HardenedBSD
 | |
| OS family | Unix-like |
|---|---|
| Working state | Current |
| Source model | Open source |
| Marketing target | Servers, workstations, embedded systems, network firewalls |
| Package manager | pkg |
| Platforms | x86-64, ARM64 |
| Kernel type | Monolithic kernel |
| Userland | BSD |
| Default user interface | Unix shell |
| License | FreeBSD License, FreeBSD Documentation License |
| Official website | {{ |
HardenedBSD is a fork of FreeBSD intended to accentuate security. The project began with the implementation of ASLR in 2015. [1] Since then, HardenedBSD has moved on to implement other mitigation and hardening technologies against computer vulnerability exploitation.
History[edit]
Work on HardenedBSD began in 2013 when Oliver Pinter and Shawn Webb started working on an implementation of ASLR (Address Space Layout Randomization),[2] based on the public documentation of PaX, for FreeBSD. At the time, HardenedBSD was supposed to be a staging area for experimental development of the ASLR patch. Over time, as the process of integrating ASLR into FreeBSD became more difficult, HardenedBSD naturally became a fork. [3]
HardenedBSD completed the implementation of ASLR in 2015 with the strongest form of ASLR of any BSD. Since then, HardenedBSD has moved on to implement other mitigation and hardening technologies. OPNsense, an open source firewall based on FreeBSD, integrated HardenedBSD's ASLR implementation in 2016. OPNsense completed its migration to HardenedBSD on January 31, 2019.[4]
HardenedBSD exists today as a fork of FreeBSD that closely follows the FreeBSD source code.[5]
Features[edit]
According to the official website, HardenedBSD has successfully implemented the following features:[6]
- PaX-inspired ASLR
- PaX-inspired NOEXEC
- PaX-inspired SEGVGUARD
- Base compiled as Position Independent Executables (PIEs)
- Base compiled with full RELRO (RELRO + BIND_NOW)
- Hardening of certain sensitive sysctl nodes
- Network stack hardening
- Executable file integrity enforcement
- Boot process hardening
- procs/linprocfs hardening
- LibreSSL as an optional crypto library in base
- Trusted Path Execution (TPE)
- Randomized PIDs
- SafeStack in base
- SafeStack available in ports
- Non-Cross-DSO CFI in base
- Non-Cross-DSO CFI available in ports
- Retpoline applied to base and ports
- Variable auto-init applied to base and ports
- Link-Time Optimizations (LTO) applied to both apps and libs
See also[edit]
References[edit]
- ↑ "HardenedBSD Completes Strong ASLR Implementation". bsd.slashdot.org. Retrieved 2021-07-11.
- ↑ "Introduction". docs.opnsense.org. Retrieved 2021-07-11.
- ↑ "About". hardenedbsd.org. Retrieved 2021-07-11.
- ↑ "Why Fork FreeBSD?". docs.opnsense.org. Retrieved 2021-07-11.
- ↑ "forked from freebsd/freebsd-src". GitHub. Retrieved 2021-07-11.
- ↑ "Chapter Features". HardenedBSD Wiki. The HardenedBSD Project. Retrieved 2021-07-11.
External link[edit]
This article "HardenedBSD" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:HardenedBSD. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.
