Exploit Lecture: Writing FreeBSD Malware

Zenaan Harkness zen at freedbms.net
Fri Apr 27 22:28:08 PDT 2018

On Fri, Apr 27, 2018 at 10:39:38PM -0400, grarpamp wrote:
> https://www.youtube.com/watch?v=bT_k06Xg-BE
> Without exploit mitigations and with an insecure-by-default design,
> writing malware for FreeBSD is a fun task, taking us back to 1999-era
> Linux exploit authorship. Several members of FreeBSD's development
> team have claimed that Capsicum, a capabilities/sandboxing framework,
> prevents exploitation of applications. Our in-depth analysis of the
> topics below will show that in order to be effective, applying
> Capsicum to existing complex codebases lends itself to wrapper-style
> sandboxing. Wrapper-style sandbox is a technique whereby privileged
> operations get wrapped and passed to a segregated process, which
> performs the operation on behalf of the capsicumized process.

seL4 for the lowest-latency IPC for any such wrapping, sanboxing,
secure-by-default design you might dream up.

> With a
> new libhijack payload, we will demonstrate that wrapper-style
> sandboxing requires ASLR and CFI for effectiveness. FreeBSD supports
> neither ASLR nor CFI. Tying into the wrapper-style Capsicum defeat,
> we'll talk about advances being made with libhijack, a tool announced
> at Thotcon 0x4. The payload developed in the Capsicum discussion will
> be used with libhijack, thus making it easy to extend. We will also
> learn the Mandatory Access Control (MAC) framework in FreeBSD. The MAC
> framework places hooks into several key places in the kernel. We'll
> learn how to abuse the MAC framework for writing efficient rootkits.
> Attendees of this presentation should walk away with the knowledge to
> skillfully and artfully write offensive code targeting both the
> FreeBSD userland and the kernel.
> https://twitter.com/lattera/status/989602709950029824
> Shawn Webb is a cofounder of HardenedBSD, a hardened downstream
> distribution of FreeBSD. With over a decade in infosec, he dabbles in
> both the offensive and defensive aspects of the industry. On the
> advisory board for Emerald Onion, Shawn believes in a more free and
> open Internet. His whole house is wired for Tor. Getting on the Tor
> network is only a network jack away!
> https://www.youtube.com/user/CarolinaConVideos/videos
> CarolinaCon was started in 2005 and has been held every year since.
> With each passing year the conference continues to grow and attract
> more attendees and speakers. As has always been the case, CarolinaCon
> is put together and run by an all-volunteer staff. CarolinaCon is
> proudly brought to you by "The CarolinaCon Group". The CarolinaCon
> Group is a non-profit organization registered in the state of NC,
> dedicated to educating the local and global communities about
> technology, information/network/computer security, and information
> rights.
> The CarolinaCon Group is also closely associated with various 2600
> chapters across NC, SC, TN, VA, LA, DC, GA, PA and NY. Many of the
> volunteers who help develop and deliver CarolinaCon come from those
> chapters.

More information about the cypherpunks mailing list