Pissing off the bad guys by porting grsecurity to HardenedBSD

Presented at THOTCON 0x8 (2017), May 4, 2017, noon (120 minutes).

Work on HardenedBSD began around three years ago, with HardenedBSD becoming official two years ago. We've implemented the strongest form of Address Space Layout Randomization (ASLR) in all the BSDs. We've ported over a number of grsecurity features. FreeBSD, upon which HardenedBSD is based, serves at least 36% of all peak North American Internet traffic, thanks to Netflix. Juniper, Cisco, NetApp, iXsystems, and others all use FreeBSD under-the hood. Yet FreeBSD lacks any low-level exploit mitigation technologies. Exploiting vulnerable applications has never been easier. The NSA must love FreeBSD-based systems. HardenedBSD aims to implement low-level exploit mitigations and security hardening technologies, starting with porting the grsecurity patchset. We've come a long way, and we have even longer to go.This presentation discusses in detail the advancements we've made, including comparisons to Linux and OpenBSD. Attendees will understand why exploit mitigation is an absolute must and will learn the technical details of each feature. There is potential that 0day against FreeBSD that is mitigated in HardenedBSD may be presented.


Presenters:

  • Shawn Webb
    Shawn Webb is the cofounder of HardenedBSD. Former ClamAV core developer. Member of the OPNsense core team. SoldierX High Council member.

Similar Presentations: