Mitigations

• -fret-clean

• Arc4random

• ASLR

• Atexit hardening

• Compiler-powered hardening

• Control-flow integrity

• CPU microcode

• Development practises

• Disk encryption

• Embargoes handling

• Execute only memory

• Explicit_bzero and bzero

• Fork and exec

• FORTIFY_SOURCE

• Fuzzing

• KARL (Kernel Address Randomized Link)

• L1 Terminal Fault (L1TF), aka Foreshadow

• Lazy bindings

• Libc symbols randomization

• Library order randomization

• Mandatory W^X in userland

• MAP_CONCEAL

• MAP_STACK

• Memory Tagging

• Microarchitectural Data Sampling, aka Fallout, RIDL and Zombieload

• mimmutable

• Missing mitigations

• NULL-deref in kernel-land to code execution

• Packages updates

• Papers, academic research and threat model

• Passwords hashing

• PID randomization

• pinsyscall

• Pledge

• Position independent code

• Privsep and privdrop

• RELRO

• Reproducible builds

• Rootless Xorg

• ROP gadgets removal

• Secure boot and trusted boot

• Secure levels

• Setjmp and longjmp

• Signify

• SMAP, SMEP and their friends

• Spectre v1 — CVE-2017-5753

• Spectre v2 — CVE-2017-5715

• Spectre v3, aka Meltdown — CVE-2017-5754

• SROP mitigation

• Stack clash

• Stack cookies and RETGUARD

• Stance on memory-safe languages

• Strlcpy and strlcat

• Support of %n in printf

• SWAPGS — CVE-2019-1125

• Synthetic Memory Protections/syscall() "hardening"

• Tarpit

• TCP SYN cookies

• TIOCSTI hardening

• TRAPSLED

• Unveil

• Userland heap management

• W^X

• Zenbleed - CVE-2023-20593