hardenedbsd.orginstallerhardenedbsdorg

Skip to main content installers Submitted by op on Tue, 11/03/2015 - 15:32 12-STABLE git git clone --single-branch --branch hardened/12-stable/master https://git-01.md.hardenedbsd.org//.git hardenedbsd-12-stable installers https://ci-01.nyi.hardenedbsd.org/pub/hardenedbsd/12-stable/ PORTS git git clone --single-branch --branch master https://git-01.md.hardenedbsd.org//hardenedbsd-ports.git /usr/ports/ tar.gz fetch -o hardenedbsd-ports.tar.gz ' https://git-01.md.hardenedbsd.org//hardenedbsd-ports/archive/... ' zip fetch --no-verify-peer -o hardenedbsd-ports.zip ' https://git-01.md.hardenedbsd.org//hardenedbsd-ports/archive/... ' Read more about installers August 2020 Status Report and Call for Donations Submitted by Shawn Webb on Sat, 08/15/2020 - 09:35 This last month has largely been a quiet one. I've restarted work on porting five-year-old work from the Code Pointer Integrity (CPI) project into . Chiefly, I've started forward-porting the libc and rtld bits from the CPI project and now need to look at llvm compiler/linker enhancements. We need to be able to apply SafeStack to shared objects, not just application binaries. This forward-porting work I'm doing is to support that effort. The infrastructure has settled and is now churning normally and happily. We're still working out bandwidth issues. We hope to have a new fiber line ran by the end of September. As part of this status report, I'm issuing a formal call for donations. I'm aiming for $4,000.00 USD for a newer self-hosted Gitea server. I hope to purchase the new server before the end of 2020. Last year, I migrated us away from GitHub as the source-of-truth for 's source code and ports tree. The server hosting the source is a rather ancient one (a > 10yo Dell R410) with insufficient CPU and RAM. I'm formally calling for donations to go towards a newer server to host our code. I wanted to self-host our source for a couple reasons: 1. A single source-of-truth under our control that we can monitor and guarantee the security of. 2. Provide unique access to the ecosystem. We provide Tor Onion Services for those who need it. We plan to deploy other mixnets, anonymization services, and privacy-related tech for reaching 's infrastructure in unique ways. We use Gitea as our code sharing platform. It has a similar look and feel to GitHub and provides bug reporting, wiki, and pull request features. Given that is downstream from FreeBSD, which shares a history greater than twenty five years, this places a huge burden on Gitea. It's having a hard time on our hand-me-down Dell R410 system and desperately needs an upgrade. We appreciate every type of contribution--whether it be financial, code, documentation, advocacy, or otherwise. would not exist without the continued help and support from the community. Tags: status report Read more about August 2020 Status Report and Call for Donations July 2020 Status Report Submitted by Shawn Webb on Tue, 07/14/2020 - 12:03 The filesystem extended attribute support work is now completed . As time progresses, more ports will be marked with toggles. I've started documenting which ports are marked with exploit mitigations toggled. On to a different subject: hosting network stability. Since the migration of the build infrastructure to BlackhawkNests's hosting facility, we've had a number of network-related issues, especially with regards to network stability. The stability issues have hopefully been worked out as of this morning. We're also in talks with Verizon FiOS and will hopefully switch to FiOS once installation is completed. The switch will also drastically increase available bandwidth. I'm also working on migrating our gitea instance from using sqlite as the database backend to mysql. Migrating to mysql should drastically increase speed and stability of our self-hosted git service. I will keep you, the community, updated with my progress. DEF CON and Jeff Moss have donated funds for a new development laptop for me. I received it last week and am migrating to it. Once the self-hosted git service work is completed, I plan to start completing our SafeStack integration such that SafeStack can be applied to shared objects, opening the door to applying SafeStack to our entire ecosystem (base world + ports). Tags: status report Read more about July 2020 Status Report Deep Integration of Filesystem Extended Attribute Support Submitted by Shawn Webb on Fri, 07/03/2020 - 15:13 I've been working on integrating filesystem extended attribute support in tmpfs, libarchive, and pkg(8). Other operating systems tag ELF objects with various flags. We in prefer not to use such a heavy-handed approach. Making use of filesystem extended attributes enables out-of-band (OOB) management of security flags. makes use of extended attributes to toggle exploit mitigations on a per-binary basis. Using an OOB method provides flexibility along with an easy avenue for future growth. I've made changes to libarchive in the base OS and have submitted a patch upstream. The patch takes a best-effort approach to restoring system-level extended attributes. Setting system-level extended attributes is a privileged operation. If an archive entry contains a systeam-level extended attribute and the extraction process is not privileged, setting the extended attribute will fail. The failure will be ignored and the extraction process will continue as normal. (The same holds true today without the patch.) Extended attribute support in tmpfs is a bare minimum, with the ability to add and list, but not remove extended attributes. Anyone desiring to provide complete extended attribute support is welcome to provide a patch. Finally, forked FreeBSD's package manager, aptly named pkg. The package manager must be aware of filesystem extended attributes. pkg can now include any filesystem extended attribute and is not limited to 's use. I will make some attempt at upstreaming the changes to pkg after the changes to libarchive have been upstreamed. The future is bright for filesystem extended attributes. One could imagine a future in which pkg stores the hash of files as extended attributes, and the kernel checks the hash against the stored attribute. The sky is the limit. I am now integrating exploit mitigation toggling into the ports tree such that ships packages with exploit mitigations toggled for those misbehaving applications (like firefox, java, nodejs, etc.) Read more about Deep Integration of Filesystem Extended Attribute Support June 2020 Status Report Submitted by Shawn Webb on Sun, 06/14/2020 - 14:18 Now that 's infrastructure has found its new home, it's time to ramp up development again. We're working out kinks with regards to bandwidth and hope to increase bandwidth to our infrastructure on the inside of two months. I've started working on adding filesystem extended attributes support to tmpfs. Once support is added, we should be able to integrate with ports/packages such that our users will no longer need to worry about toggling exploit mitigations--they'll already come pre-toggled for misbehaving applications. I suspect this work will take a few months to complete. I've never done filesystem development, so I'm treading new waters. Once filesystem extended attribute support is added, I plan to integrate exploit mitigation toggling in the ports tree. When all is said and done, I'm thinking around six months time frame. Granted, I have health issues, so there's no guarantees. I'll keep everyone updated. My next goal will be integration of SafeStack into the RTLD. This is needed in order to apply SafeStack to both shared libraries and applications. This integration work relates directly with Cross-DSO CFI support, since Cross-DSO CFI requires the same/similar types of integrations. I'm interviewing a few people to add to the Board of Directors. We've added Jordan Boland to the team. He will help maintain the infrastructure. I plan to get with him once the bandwidth issues have been resolved. I've includ...