===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/65.html,v
retrieving revision 1.75
retrieving revision 1.76
diff -u -r1.75 -r1.76
--- www/65.html 2019/04/13 03:15:36 1.75
+++ www/65.html 2019/04/13 03:20:06 1.76
@@ -144,46 +144,44 @@
Security improvements:
- -
- unveil(2) has been
- improved to understand and find covering unveil matches above the
- working directory of the running process for relative path accesses.
- As a result many programs now can use unveil in broad ways such as
- unveil("/", "r");
-
-
- unveil(2) no longer
- silently allows
- stat(2) and
- access(2) to work on any
- unveiled path component.
-
- Now using unveil(2) in
- ospfd(8),
- ospf6d(8),
- rebound(8),
- getconf(1),
- kvm_mkdb(8),
- bdftopcf(1),
- Xserver(1),
- passwd(1),
- spamlogd(8),
- spamd(8),
- sensorsd(8),
- snmpd(8),
- htpasswd(1),
- ifstated(8).
- Some pledge(2)
- changes were required to accommodate unveil.
-
- ROP mitigations in clang(1)
- have been improved, resulting in a significant decrease in the number
- of polymorphic ROP gadgets in binaries on i386/amd64.
-
- RETGUARD performance and security has been improved in
- clang(1)
- by keeping data on registers instead of on the stack when possible,
- and lengthing the epilogue trapsled on amd64 to consume the rest
- of the cache line before the return.
-
- RETGUARD replaces the stack protector on amd64 and arm64,
- since RETGUARD instruments every function that returns and provides
- better security properties than the traditional stack protector.
+
- unveil(2) has been
+ improved to understand and find covering unveil matches above the
+ working directory of the running process for relative path accesses.
+ As a result many programs now can use unveil in broad ways such as
+ unveil("/", "r");
+
- unveil(2) no longer
+ silently allows
+ stat(2) and
+ access(2) to work on any
+ unveiled path component.
+
- Now using unveil(2) in
+ ospfd(8),
+ ospf6d(8),
+ rebound(8),
+ getconf(1),
+ kvm_mkdb(8),
+ bdftopcf(1),
+ Xserver(1),
+ passwd(1),
+ spamlogd(8),
+ spamd(8),
+ sensorsd(8),
+ snmpd(8),
+ htpasswd(1),
+ ifstated(8).
+ Some pledge(2)
+ changes were required to accommodate unveil.
+
- ROP mitigations in clang(1)
+ have been improved, resulting in a significant decrease in the number
+ of polymorphic ROP gadgets in binaries on i386/amd64.
+
- RETGUARD performance and security has been improved in
+ clang(1)
+ by keeping data on registers instead of on the stack when possible,
+ and lengthing the epilogue trapsled on amd64 to consume the rest
+ of the cache line before the return.
+
- RETGUARD replaces the stack protector on amd64 and arm64,
+ since RETGUARD instruments every function that returns and provides
+ better security properties than the traditional stack protector.