Unfortunately, HardenedBSD is nothing more but a PR campaign from a one person who feels rejected due to poor code quality and bad reviews from FreeBSD developers who expect a bit more than just throwing random patches around and saying 'here, I fixed all these security problems with three lines of code'. I would recommend taking HardenedBSD and its announcements with a huge portion of salt.
The funny part is that FreeBSD has had years to even implement anything as simple as ASLR but it didn't and instead starting to reject other peoples code.
What HardenedBSD did is basically following the PaX model which has been documented for a long time[1].
It seems like FreeBSD is just lacking any developers willing to deal with these security features or let alone upstream it because its usually a pain in the ass to upstream stuff like this just look how Linux is having a hard time implementing even basic stuff from grsecurity.
Exploit mitigations are not for fixing those security problems it is to make it harder to exploit certain vulnerabilities.
The funny part is that even amongst top security researchers there doesn't seem to be an agreement over the fact if ASLR is worth anything, as it was proved to be breakable in no time. And it seems like grsecurity code suffers the same problems as the code from HardenedBSD, that is the quality matching the respective project's standards.
Who are these top security researchers?
ASLR on its own is useless but security is about layers there isn't one mitigation to rule em all.
But ASLR combined with other features work very well, the funny part about FreeBSD that you can just apply 90s blog post about smashing the stack and you can exploit with it.
grsecurity code is clean and uses some neat tricks with the C language, most features have been there for at least a decade and recently things like RAP have come along but its all pretty clean.
The problem with upstreaming is that you will have people that think the code is shit or doesn't work properly or all kinds of other stuff and that takes a lot of time that could be spent somewhere else.
About the quality matching the respective project's standards is bullshit because many developers aren't security engineers or have never dealt with exploit mitigation's and instantly think/say the code is shit, biggest reason why Linux will never get actual important features from grsecurity because it takes lots of time and developers that actually understand what they are doing.
FreeBSD just doesn't have those developers and neither has Linux, now you know why out of tree patches just work for this kind of stuff.
Microsoft seems to take the upper hand in exploit mitigation's at the moment.
