version 1.80, 2019/06/01 22:54:16 |
version 1.81, 2019/06/01 23:12:48 |
|
|
(<a href="https://man.openbsd.org/sigreturn.2">sigreturn(2)</a> |
(<a href="https://man.openbsd.org/sigreturn.2">sigreturn(2)</a> |
oriented programming) mitigation: attacks researched by |
oriented programming) mitigation: attacks researched by |
<a href="http://www.cs.vu.nl/~herbertb/papers/srop_sp14.pdf">Eric Bosman</a> |
<a href="http://www.cs.vu.nl/~herbertb/papers/srop_sp14.pdf">Eric Bosman</a> |
and Herbert Bos in 2014, solution implemented by Theo de Raadt in May 2016, |
and Herbert Bos in 2014, solution implemented by Theo de Raadt in May 2016, |
enabled by default since OpenBSD 6.0. |
enabled by default since OpenBSD 6.0. |
<li><strong>Library order randomization</strong>: |
<li><strong>Library order randomization</strong>: |
In <a href="https://man.openbsd.org/rc.8">rc(8)</a>, re-link |
In <a href="https://man.openbsd.org/rc.8">rc(8)</a>, re-link |
|
|
innaccurately target gadgets. These NOP sequences are converted into |
innaccurately target gadgets. These NOP sequences are converted into |
trap sequences where possible. Todd Mortimer and Theo de Raadt, June |
trap sequences where possible. Todd Mortimer and Theo de Raadt, June |
2017. |
2017. |
<li><strong>Kernel relinking at boot</strong>: |
<li><strong>Kernel relinking at boot</strong>: |
the .o files of the kernel are relinked in random order from a |
the .o files of the kernel are relinked in random order from a |
link-kit, before every reboot. This provides substantial interior |
link-kit, before every reboot. This provides substantial interior |
randomization in the kernel's text and data segments for layout and |
randomization in the kernel's text and data segments for layout and |
|
|
kernel boot, similar to the userland fork+exec model described above |
kernel boot, similar to the userland fork+exec model described above |
but for the kernel. Theo de Raadt, June 2017. |
but for the kernel. Theo de Raadt, June 2017. |
<li> |
<li> |
Rearranged i386/amd64 register allocator order in |
Rearranged i386/amd64 register allocator order in |
<a href="https://man.openbsd.org/clang.1">clang(1)</a> |
<a href="https://man.openbsd.org/clang.1">clang(1)</a> |
to reduce polymorphic RET instructions: |
to reduce polymorphic RET instructions: |
Todd Mortimer, November 20, 2017. |
Todd Mortimer, November 20, 2017. |
|
|
embedded polymorphic RET instructions. Enhancements to |
embedded polymorphic RET instructions. Enhancements to |
<a href="https://man.openbsd.org/clang.1">clang(1)</a> |
<a href="https://man.openbsd.org/clang.1">clang(1)</a> |
Todd Mortimer, April 28, 2018 and onwards. |
Todd Mortimer, April 28, 2018 and onwards. |
<li><b>MAP_STACK</b> addition to |
<li><b>MAP_STACK</b> addition to |
<a href="https://man.openbsd.org/mmap.2">mmap(2)</a> |
<a href="https://man.openbsd.org/mmap.2">mmap(2)</a> |
allows opportunistic verification that the stack-register |
allows opportunistic verification that the stack-register |
points at stack memory, therefore catching pivots to non-stack |
points at stack memory, therefore catching pivots to non-stack |
|
|
<b>.openbsd.randomdata</b> section) to consistency-check the |
<b>.openbsd.randomdata</b> section) to consistency-check the |
return address on the stack. Implemented for AMD64 and ARM64 |
return address on the stack. Implemented for AMD64 and ARM64 |
by Todd Mortimer in OpenBSD 6.4. |
by Todd Mortimer in OpenBSD 6.4. |
<li><b>MAP_CONCEAL</b> addition to |
<li><b>MAP_CONCEAL</b> addition to |
<a href="https://man.openbsd.org/mmap.2">mmap(2)</a> |
<a href="https://man.openbsd.org/mmap.2">mmap(2)</a> |
disallows memory pages to be written to core dumps, preventing |
disallows memory pages to be written to core dumps, preventing |
accidental exposure of private information. |
accidental exposure of private information. |
|
|
<li><a href="https://man.openbsd.org/ping.8">ping(8)</a>: |
<li><a href="https://man.openbsd.org/ping.8">ping(8)</a>: |
Restructured to include IPv6 functionality and maintained by Florian Obser. |
Restructured to include IPv6 functionality and maintained by Florian Obser. |
The separate |
The separate |
<a href="https://man.openbsd.org/OpenBSD-6.0/ping6.8">ping6(8)</a> |
<a href="https://man.openbsd.org/OpenBSD-6.0/ping6.8">ping6(8)</a> |
was superseded on September 17, 2016, |
was superseded on September 17, 2016, |
and the new, combined version was released with OpenBSD 6.1. |
and the new, combined version was released with OpenBSD 6.1. |
<li><a href="https://man.openbsd.org/xenodm.1">xenodm(1)</a>: |
<li><a href="https://man.openbsd.org/xenodm.1">xenodm(1)</a>: |