Techly NewsGet the app

Get the latest tech news

HardenedBSD Feature Comparison with OpenBSD, FreeBSD, NetBSD


Address Space Layout Randomization (ASLR) * Base compiled as Position-Independent Executables (PIEs) Base compiled with RELRO + BIND_NOW * Ports tree compiled with PIE, RELRO, and BIND_NOW Static PIE ASLR brute force protection (SEGVGUARD) * * Prevention of the creation of writable and executable memory mappings (W^X part one) Restrictions on mprotect to prevent switching pages between writable and executable (W^X part two) sysctl hardening Network stack hardening (IP ID randomization, use IPv6 temporary addresses) Executable file integrity enforcement Boot hardening procfs/linprocfs hardening * LibreSSL in base as the default cryptography library SROP mitigation Most of base sandboxed Trusted Path Execution SafeStack in base SafeStack available in ports Non-Cross-DSO Control-Flow Integrity (CFI) in base Non-Cross-DSO Control-Flow Integrity (CFI) available in ports Base compiled with retpoline Ports tree compiled with retpoline Intel SMAP+SMEP Support Userland stack zero-initialized by default Hardened RTLD by default * Hover over the checkbox for more inf.

FeatureHardenedBSDFreeBSD OpenBSD NetBSD Address Space Layout Randomization (ASLR)* Base compiled as Position-Independent Executables (PIEs)Base compiled with RELRO + BIND_NOW* Ports tree compiled with PIE, RELRO, and BIND_NOWStatic PIEASLR brute force protection (SEGVGUARD)** Prevention of the creation of writable and executable memory mappings (W^X part one)Restrictions on mprotect to prevent switching pages between writable and executable (W^X part two)sysctl hardeningNetwork stack hardening (IP ID randomization, use IPv6 temporary addresses)Executable file integrity enforcementBoot hardeningprocfs/linprocfs hardening* LibreSSL in base as the default cryptography librarySROP mitigationMost of base sandboxedTrusted Path ExecutionSafeStack in baseSafeStack available in portsNon-Cross-DSO Control-Flow Integrity (CFI) in baseNon-Cross-DSO Control-Flow Integrity (CFI) available in portsBase compiled with retpolinePorts tree compiled with retpolineIntel SMAP+SMEP SupportUserland stack zero-initialized by defaultHardened RTLD by default* Hover over the checkbox for more information

Get the Android app

Or read this on Hacker News

Read more on:

Photo of FreeBSD

FreeBSD

Photo of comparison

comparison

Photo of openbsd

openbsd

Related news:

News photo

FreeBSD 14.2 Beta 1 Released To Work Toward This Next Release

News photo

A comparison of Rust’s borrow checker to the one in C#

News photo

Comparison of configuration file languages (2016)

« iOS 18.2 release date is reportedly earlier than expected
PacCam: Pac-Man controlled with your face »