State of the Hardened Union (2019)

Speaker: Shawn Webb

With FreeBSD renewing its focus on security, NetBSD's enabling of its PaX ASLR and NOEXEC implementations by default, OpenBSD's continued striving for code correctness and strangely attractive APIs, DragonFlyBSD's recent adoption of SMAP and SMEP, HardenedBSD's continued advancements in the adoption of Control-Flow Integrity (CFI) and SafeStack, it has never been a better time to work in information security within the BSDs.

This presentation dives into the intricacies of various exploit mitigations, their use cases, their weaknesses, the status of their adoption within each of the BSDs, and where we need to be in the future.

The goal of security is to raise the economic cost of successful exploitation. We will discuss in detail the different exploit mitigations, how they work, when and where each mitigation succeeds and fails, and the history behind each mitigation. Each mitigation can be implemented differently and care will be taken to discuss each difference within the BSDs, Linux, and Windows.

The BSDs are making great strides implementing innovative and unique solutions that protect us from monocultures. Diversity, even within the BSDs, provides users with different tools for solving difficult problems.

The BSDs, however, are at a point where collaboration regarding security vulnerabilities is critical in order to provide protection to an ever-wider audience. Though individual projects may disagree on the merits of certain technical implementations, diversity of thought throughout the vulnerability reporting lifecycle will ensure that the solutions resolving the vulnerability are robust, scalable, and don't introduce new issues. Increased collaboration, rather than "ad-hominem attacks as keynotes" will guarantee the strongest innovations in security going forward. Let's piss off the bad guys together!