OpenBSD 6.4
BSD Release: OpenBSD 6.4
The project has released OpenBSD 6.4 which includes many driver improvements, a feature that allows OpenSSH’s configuration files to use service names instead of port numbers, and the Clang compiler will replace some risky ROP instructions with safe alternatives.Perhaps the most interesting feature is the unveil () system call that allows applications to block themselves, blocking their own access to the file system. This is especially useful for programs that can not be used in the application: “New unveil (2) system is the most powerful when “Good combined with privilege separation and pledge (2).”
Other security improvements include: “Implemented MAP_STACK option for mmap (2); new RETGUARD security mechanism on amd64 and arm64 – use per-function random cookies to protect access to function return instructions, making them harder to use in ROP gadgets …. “