| ▲ | landr0id 9 hours ago |
| FreeBSD didn’t have user land ASLR until 2019 and, amongst other mitigations, still doesn’t have kASLR. It’s not a serious operating system for people who care about security. If you want FreeBSD and security take Shawn Webb’s HardenedBSD. |
|
| ▲ | kelnos 9 hours ago | parent | next [-] |
| Last I read, ASLR is a good thing to have, but overall is usually not difficult to defeat. It's a speed bump, not a brick wall. I don't think it's reasonable to say that an OS that lacks it isn't "serious" about security. |
| |
| ▲ | landr0id 9 hours ago | parent [-] | | >Last I read, ASLR is a good thing to have, but overall is usually not difficult to defeat. For local attackers there may be easier avenues to leak the ASLR slide, but for remote attackers it's almost universally agreed it significantly raises the bar. >I don't think it's reasonable to say that an OS that lacks it isn't "serious" about security. When they implemented it in 2019 it had been an 18-year-old mitigation. If you are serious about security, you implement everything that raises the bar. The term "defense-in-depth" exists for a reason, and ASLR is probably one of the easiest and most effective defense-in-depth measures you can implement that doesn't necessarily require changes from existing code other than compiling with -pie. |
|
|
| ▲ | abrookewood 8 hours ago | parent | prev | next [-] |
| Is there anywhere that provides a good overview of the various OS protection technologies/approaches that exist and which OSes have implemented them? |
|
| ▲ | user3939382 9 hours ago | parent | prev [-] |
| So you have one example in hand and trash talked FreeBSD’s entire security team. Bold claims are fine but this is lazy. FreeBSD isn’t secure, I suspect you’re sitting on a pile of 0 days for it? |
| |
| ▲ | landr0id 9 hours ago | parent [-] | | Ask yourself why Mythos was so easily able to develop a remote STACK buffer overflow vulnerability. | | |
| ▲ | nozzlegear 8 hours ago | parent [-] | | Define "so easily"? | | |
| ▲ | landr0id 7 hours ago | parent [-] | | They exploited a linear stack buffer overflow. Not a write-what-where or arb write. A linear stack buffer overflow in 2026! There are at least two distinct failures there: 1. No strong stack protectors. 2. No kASLR. That's 20-year-old exploit methodology. |
|
|
|
