===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/74.html,v
retrieving revision 1.78
retrieving revision 1.79
diff -u -r1.78 -r1.79
--- www/74.html 2023/10/14 19:47:37 1.78
+++ www/74.html 2023/10/14 19:53:05 1.79
@@ -594,6 +594,39 @@
Security improvements:
+ - We enabled support for branch target identification (BTI) in both
+ the kernel and userland. On hardware that supports this feautre, it
+ helps enforcing control flow integrety by making sure malicious code
+ cannot jump into the middle of a function.
+
- We enabled support for pointer authentication (PAC) in userland. On
+ hardware that supports this feature it helps enforcing control flow
+ integrety by making sure malicious code cannot manipulate a
+ function's return address.
+
- On the amd64 architecture, we enabled support for indirect
+ branch tracking (IBT) in both the kernel and userland. On hardware
+ that supports this feature, it helps enforcing control flow integrety
+ by making sure malicious code cannot jump into the middle of a
+ function.
+
- On the arm64 architecture, we enabled support for branch target
+ identification (BTI) in both the kernel and userland. On hardware
+ that supports this feature, it helps enforcing control flow integrety
+ by making sure malicious code cannot jump into the middle of a
+ function.
+
- On the arm64 architecture, we enabled support for pointer
+ authentication (PAC) in userland. On hardware that supports this
+ feature it helps enforcing control flow integrety by making sure
+ malicious code cannot manipulate a function's return address.
+
+
+Together with retguard these features protect against ROP attacks.
+
+Compiler defaults for base clang, ports clang and ports gcc (as well
+as some other non-C language family compilers in ports) have been
+changed to enable these features by default. As a result the vast
+majority of programs on OpenBSD (and all programs in the base system)
+run with these security features enabled.
+
+
- Change malloc(3)
chunk sizes to be fine grained: chunk sizes are closer to the
requested allocation size.
@@ -618,23 +651,6 @@
output, safely escape non-printable characters
in messages that may include file names,
and truncate times to the correct maximum value.
-
-
-
-
-
- On amd64, enable Indirect Branch Tracking (IBT) for the kernel.
-
- Enable branch target control flow enforcement on arm64.
-
- In clang on amd64, emit IBT endbr64 instructions by default (meaning,
- -fcf-protection=branch is the default).
-
- On arm64, implement support for pointer authentication (PAC) in userland.
-
- In clang(1),
- turn on pointer-authentication on arm64 by default.
-
- Enable Indirect Branch Tracking (IBT) for amd64 userland.
-
- Prevent patch(1)
- from modifying files outside of the current working directory and
- subdirectories using unveil(2).
-
Changes in the network stack: