[Tor-BSD] Hardened Tor
Shawn Webb
shawn.webb at hardenedbsd.org
Sat Jan 27 12:02:35 EST 2018
Hey All,
The HardenedBSD 12-CURRENT/amd64 package build just finished, applying
retpoline to the entirety of the ports tree/package repo. Applying
retpoline helps mitigate one of the Spectre variants.
This means that Tor on HardenedBSD 12-CURRENT/amd64 is compiled with:
1. PIE
2. Full RELRO (RELRO + BIND_NOW)
3. CFI (with the cfi-icall scheme disabled)
4. SafeStack
5. Retpoline
All of these layers are going to make life very difficult for an
attacker attempting to exploit the tor daemon itself. If you have any
further suggestions on hardening the tor daemon, please let me know.
Thanks,
--
Shawn Webb
Cofounder and Security Engineer
HardenedBSD
Tor-ified Signal: +1 443-546-8752
GPG Key ID: 0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.nycbug.org/pipermail/tor-bsd/attachments/20180127/0e899f0f/attachment.bin>
More information about the Tor-BSD
mailing list