Update on HardenedBSD

A Look Back on 2016

As 2016 is coming to a close, I'd like to reflect about what we've accomplished in HardenedBSD. A whole lot of work has been done and we still have a lot of work ahead of us.

  1. All of base and ports is compiled as Position-Independent Executables (PIEs) along with full RELRO (note: there are some exceptions).
  2. I started hardening some syscalls and sysctl nodes. You'll now notice that the gpart command must run as root because of that. Jailed environments and unprivileged users now cannot see which kernel modules are loaded and root cannot see the base address of kernel modules.
  3. Documentation is now a key priority. Work has started on the HardenedBSD Handbook. We have a long way to go, but the foundation has been laid.
  4. Work on cleaning up our PaX SEGVGUARD implementation has started. We're eventually going to take a whole different approach. Though the current implementation is useful, we haven't guaranteed its stability.
  5. Intel SMAP/SMEP support working in a private feature branch.
  6. LibreSSL imported into HardenedBSD base and made the default in 12-CURRENT.
  7. hbsd-update continues receiving more features and can be considered production-ready. Though there's still more work to do, it is feature complete for the vast majority of use cases.
  8. New, self-hosted package building server.
  9. Port HardenedBSD ASLR and SEGVGUARD to OPNsense, complete with PIE base/ports. Every single OPNsense install has ASLR enabled.
  10. Help FreeBSD with the RPI3 efforts. Test and research clang 3.9.0 and ld.lld on the RPI3. HardenedBSD works flawlessly on the RPI3, showing the strength of HardenedBSD's portability and robustness.
  11. Help FreeBSD with their efforts to port Linux DRM to FreeBSD. This includes buying multiple new laptops and running HardenedBSD with the drm-next-4.7 bits imported.
  12. Deploy four Dell R410 servers for internal development and testing.
  13. Add support for the RISC-V architecture.
  14. Add support for CloudABI.
  15. Successfully test support for MIPS.

For just three developers (Oliver Pinter, Bernard Spil, and myself) doing this in our spare time, we've come a long way in 2016. I'm extremely excited for 2017.

What I absolutely love is that with HardenedBSD running on the RPI3 in 64-bit mode and the Onion Omega (MIPS32), we have shown that our code is not only portable, but stable and robust. We can support new architectures with ease.

2017 Goals

Here's some personal goals that I have for 2017. This list may be incomplete and is definitely not in any particular order. I may or may not accomplish all of them. Without further ado:

  1. Finish documenting everything we've done to this point in the HardenedBSD Handbook.
  2. Maybe start on a Spanish translation of the HardenedBSD Handbook.
  3. Get SafeStack working in base. ASLR and W^X are prerequisites for SafeStack, so it's a good thing we have those.
    1. Investigate the patch floating around that allows CPI/SafeStack to be enabled for shared libraries.
  4. Get our first release out the door.
  5. Port over PaX NOEXEC (aka, W^X) to OPNsense.
  6. Revamp secadm to make it use a more efficient and elegant userlaned<->kernel model.
  7. Import secadm into base.
  8. When the time is right, investigate packaged base. I lean more heavily towards hbsd-update, but I'm open to investigating packaged base.
  9. Help FreeBSD with clang 3.9 efforts. clang 3.9 has a few regressions, most notably with supporting PIEs. Since PIE is required for ASLR to be fully applied to a process' address space, it's crucial we don't regress.
  10. Finish revamping PaX SEGVGUARD.
  11. 1. Harden more syscalls and sysctls.
  12. Bring more grsecurity features over to HardenedBSD
    1. Especially desired: RBAC

Of course, we're always looking for help. If you feel you can help in any fashion, please don't hesitate to contact the HardenedBSD Core team at [email protected].