===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/74.html,v
retrieving revision 1.89
retrieving revision 1.90
diff -u -r1.89 -r1.90
--- www/74.html 2023/10/15 10:45:56 1.89
+++ www/74.html 2023/10/15 11:13:48 1.90
@@ -644,37 +644,21 @@
Security improvements:
- - Enabled support for branch target identification (BTI) in both
- the kernel and userland. On hardware that supports this feature, it
- helps enforcing control flow integrity by making sure malicious code
- cannot jump into the middle of a function.
-
- Enabled support for pointer authentication (PAC) in userland. On
- hardware that supports this feature it helps enforcing control flow
- integrity by making sure malicious code cannot manipulate a
- function's return address.
-
- On the amd64 architecture, enabled support for indirect
- branch tracking (IBT) in both the kernel and userland. On hardware
- that supports this feature, it helps enforcing control flow integrity
- by making sure malicious code cannot jump into the middle of a
- function.
-
- On the arm64 architecture, enabled support for branch target
- identification (BTI) in both the kernel and userland. On hardware
- that supports this feature, it helps enforcing control flow integrity
- by making sure malicious code cannot jump into the middle of a
- function.
-
- On the arm64 architecture, enabled support for pointer
- authentication (PAC) in userland. On hardware that supports this
- feature it helps enforcing control flow integrity by making sure
- malicious code cannot manipulate a function's return address.
-
-Together with retguard these features protect against ROP attacks.
-Compiler defaults for base clang, ports clang and ports gcc (as well
-as some other non-C language family compilers in ports) have been
-changed to enable these features by default. As a result the vast
-majority of programs on OpenBSD (and all programs in the base system)
-run with these security features enabled.
-
Further security enhancements in this release are:
-
+ - Enable indirect branch tracking (IBT) on amd64 and branch target
+ identification (BTI) on arm64 in both the kernel and in userland.
+ On hardware that supports this feature, it helps enforcing
+ control flow integrity by making sure malicious code
+ cannot jump into the middle of a function.
+
- On the arm64 architecture, enable pointer authentication (PAC)
+ in userland on those machines where it works correctly.
+ It helps enforcing control flow integrity by making sure
+ malicious code cannot manipulate a function's return address.
+
- Together with retguard these two features protect against ROP attacks.
+ Compiler defaults for base clang, ports clang and ports gcc (as well
+ as some other non-C language family compilers in ports) have been
+ changed to enable these features by default. As a result the vast
+ majority of programs on OpenBSD (and all programs in the base system)
+ run with these security features enabled.
- Change malloc(3)
chunk sizes to be fine grained: chunk sizes are closer to the
requested allocation size.