Short Summary
The HardenedBSD project aims to continuously add advanced exploit mitigation technologies and security hardening features to FreeBSD. We have implemented Address Space Layout Randomization (ASLR), mprotect(exec) hardening, PTrace restrictions, among other features. Will will work to upstream to FreeBSD most features we implement in HardenedBSD.
The HardenedBSD project officially launched in August 2014. In just these past few months, development has really taken off. We are in need of a new server to automate the build process and unify development.
What We've Accomplished
We've already implemented these features in HardenedBSD:
- Address Space Layout Randomization (ASLR)
- Basic mprotect hardening
- PTrace restrictions
- OpenBSD's getentropy system call
- Migration of arc4random to chacha20
- SegvGuard
- Framework in the base system to create Position-Independent Executables (PIEs)
- Shared object loading order randomization in rtld
- Custom package repository
- Removal of obsolete image activators (such as a.out, svr4, coff)
- Self-validating build automation with Jenkins, ZFS, and bhyve
What We're Currently Working On
We're actively working on quite a few projects:
- Upstreaming ASLR to FreeBSD
- Advanced mprotect hardening
- Improvements to ASLR: VDSO randomization and efficient shared stack randomization
- Kernel W^X, KERNEXEC, and UDEREF
- Self-validating build automation with Jenkins, ZFS, and bhyve
- The full grsecurity patchset
- secfw, an intelligent replacement for ugidfw
- Ports framework support for PIE
What We Need & What You Get
- We need $1500 to buy a new development server.
- Donors who do not wish to remain anonymous will be listed on the HardenedBSD website.
- If our goal of $1500 is not met, we will either budget for a less-pricey server or use the funds to help with ongoing development and hosting costs.
The Impact
HardenedBSD's impact will be far reaching. Many technology and networking companies use FreeBSD. FreeBSD powers at least 33% of peak North American traffic. You will be helping to better secure the Internet and the technologies we've grown to love.
Risks & Challenges
If we don't get the funding we need, we will not be able to automate our build process and development time will slow down.
Other Ways You Can Help
Please spread the word. Even if you're unable to donate, others may be able to.
