Address Space Layout Randomization (ASLR) *

Base compiled as Position-Independent Executables (PIEs)

Base compiled with RELRO + BIND_NOW *

Ports tree compiled with PIE, RELRO, and BIND_NOW

Static PIE

ASLR brute force protection (SEGVGUARD) * *

Prevention of the creation of writable and executable memory mappings (W^X part one)

Restrictions on mprotect to prevent switching pages between writable and executable (W^X part two)

sysctl hardening

Network stack hardening (IP ID randomization, use IPv6 temporary addresses)

Executable file integrity enforcement

Boot hardening

procfs/linprocfs hardening *

LibreSSL in base as the default cryptography library

SROP mitigation

Most of base sandboxed

Trusted Path Execution

SafeStack in base

SafeStack available in ports

Non-Cross-DSO Control-Flow Integrity (CFI) in base

Non-Cross-DSO Control-Flow Integrity (CFI) available in ports

Base compiled with retpoline

Ports tree compiled with retpoline