[symtos]

why not freebsd? the freebsd project seem to focus exclusively on post-attack with jails and trustedbsd mac. fbsd has not implemented any of the modern exploit mitigation techniques. i mean, even os x has had full aslr since 2012 lol.

some years ago fbsd was forked to hardenedbsd which has aslr, mprotect restrictions, non-exec pages on cpus w/o NX, randomized lib loading order, etc. i guess the freebsd project is too busy fighting meritocracy cus none of it has been merged as far as i can tell.

as for linux, plenty has been written on linus' stance on what he considers to be a "security circus"; and the mantra on lkml is still that "a bug is a bug". just watch oss-sec and see distro people wading through kernel commit logs (hyperbole) cus sec-related bugs usually aren't reported downstream

[corv]

FreeBSD has ASLR. https://wiki.freebsd.org/AddressSpaceLayoutRandomization

[symtos]

no. did you read the first paragraph?

> FreeBSD lacks basic low-level exploit mitigation, such as Address Space Layout Randomization (ASLR)

the whitepaper you linked was published in 2014 by Shawn Webb, one of the people behind the hardenedbsd fork. that same year a submission for review was opened on phabricator[1] re. merging their aslr work in mainline fbsd.

it was closed on 2015-10-19:

> Closing this revision. FreeBSD is free to pull from HardenedBSD.

another aslr review request was then created on 2016-03-10 by Konstantin Belousov[2]:

> This revision needs review, but there are no reviewers specified.

that same day he sent a call for testing to freebsd-arch[3].

there is also a bugzilla ticket[4] for the people waiting for freebsd to catch up with 2001.

1: https://reviews.freebsd.org/D473

2: https://reviews.freebsd.org/D5603

3: https://lists.freebsd.org/pipermail/freebsd-arch/2016-March/...

4: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=181497