Introducing NoExec

Over the past few months, Oliver has been busy writing a new exploit mitigation feature for HardenedBSD: NoExec. The first part of this project was merged into master tree, and there are still ongoing issues to solve. Our implementation is inspired by PaX's. NoExec prevents pages that are marked as writable from being marked executable as well.

Encryption and Signing

Word got out that we didn't support SSL/TLS on our site due to lack of funding. A couple companies reached out to us to offer us free SSL/TLS certificates. Thanks to DigiCert, as of today, HardenedBSD's main site and package repository is now running SSL/TLS! We will update our Jenkins server with SSL/TLS over the next week. We've also started signing all the release media in our nightly builds with a GPG key created for the dev team. The GPG key's Key ID is 0xE57D5B654BB5228E and its fingerprint is 2FB0 10E7 4676 C06C 23C5 7687 E57D 5B65 4BB5 228E.

Introducing secadm 0.1-beta1

When we first introduced our ASLR patch upstream to FreeBSD, we provided a mechanism via ugidfw for system administrators and users to toggle ASLR and other security features on a per-binary basis. However, this mechanism was more of a hack than a production-ready solution. We have been hard at work to rearchitect a new production-ready implementation. We designed an application that we like to call secadm, short for Security Administration. This application will serve as the basis for advanced administration of the security features we implement in HardenedBSD. Read on for the full release announcement.



Subscribe to HardenedBSD RSS