| version 1.89, 2023/10/15 10:45:56 |
version 1.90, 2023/10/15 11:13:48 |
|
|
| |
|
| <li>Security improvements: |
<li>Security improvements: |
| <ul> |
<ul> |
| <li>Enabled support for branch target identification (BTI) in both |
<li>Enable indirect branch tracking (IBT) on amd64 and branch target |
| the kernel and userland. On hardware that supports this feature, it |
identification (BTI) on arm64 in both the kernel and in userland. |
| helps enforcing control flow integrity by making sure malicious code |
On hardware that supports this feature, it helps enforcing |
| cannot jump into the middle of a function. |
control flow integrity by making sure malicious code |
| <li>Enabled support for pointer authentication (PAC) in userland. On |
cannot jump into the middle of a function. |
| hardware that supports this feature it helps enforcing control flow |
<li>On the arm64 architecture, enable pointer authentication (PAC) |
| integrity by making sure malicious code cannot manipulate a |
in userland on those machines where it works correctly. |
| function's return address. |
It helps enforcing control flow integrity by making sure |
| <li>On the amd64 architecture, enabled support for indirect |
malicious code cannot manipulate a function's return address. |
| branch tracking (IBT) in both the kernel and userland. On hardware |
<li>Together with retguard these two features protect against ROP attacks. |
| that supports this feature, it helps enforcing control flow integrity |
Compiler defaults for base clang, ports clang and ports gcc (as well |
| by making sure malicious code cannot jump into the middle of a |
as some other non-C language family compilers in ports) have been |
| function. |
changed to enable these features by default. As a result the vast |
| <li>On the arm64 architecture, enabled support for branch target |
majority of programs on OpenBSD (and all programs in the base system) |
| identification (BTI) in both the kernel and userland. On hardware |
run with these security features enabled. |
| that supports this feature, it helps enforcing control flow integrity |
|
| by making sure malicious code cannot jump into the middle of a |
|
| function. |
|
| <li>On the arm64 architecture, enabled support for pointer |
|
| authentication (PAC) in userland. On hardware that supports this |
|
| feature it helps enforcing control flow integrity by making sure |
|
| malicious code cannot manipulate a function's return address. |
|
| </ul> |
|
| <p>Together with retguard these features protect against ROP attacks.</p> |
|
| <p>Compiler defaults for base clang, ports clang and ports gcc (as well |
|
| as some other non-C language family compilers in ports) have been |
|
| changed to enable these features by default. As a result the vast |
|
| majority of programs on OpenBSD (and all programs in the base system) |
|
| run with these security features enabled.</p> |
|
| <p><br>Further security enhancements in this release are:</p> |
|
| <ul> |
|
| <li>Change <a href="https://man.openbsd.org/malloc.3">malloc(3)</a> |
<li>Change <a href="https://man.openbsd.org/malloc.3">malloc(3)</a> |
| chunk sizes to be fine grained: chunk sizes are closer to the |
chunk sizes to be fine grained: chunk sizes are closer to the |
| requested allocation size. |
requested allocation size. |
![[BACK]](/icons/back.gif){kind=icon}
Return to 74.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www