From owner-freebsd-hackers@freebsd.org Sat Apr 28 12:54:02 2018 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 997A0FAE55B; Sat, 28 Apr 2018 12:54:02 +0000 (UTC) (envelope-from freebsd@disroot.org) Received: from knopi.disroot.org (knopi.disroot.org [178.21.23.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2E5857C627; Sat, 28 Apr 2018 12:54:01 +0000 (UTC) (envelope-from freebsd@disroot.org) Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id CEE362E0C5; Sat, 28 Apr 2018 14:53:59 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1524920039; bh=Uwo5uSvv3X5V8rx6h9WYGVNmosULzlNxiPKK/XFB6+Y=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=LseFT+ncQ7sKoYtUdyIJf2StSysgp9qLUZky2gMlpAhNAmvSKKIcKpTH8CYbuQpDS V387bALzt3E+/P1IwH3L03T1EvQFu7BO7A1RPDyG6WXXXWaCbF4FT42tbYochp133J lqETQvBTE3N0rHuYLpLRFITJDMVKCvkhHy+pu6jwd9PyAy0UhijVh/PGo9lb8zdYte k6mMY7PmWAbVPgnsWO0GdSoAHHsRNksbQGTEY86jHFqUGTJ/7hyvB7VAeSfuTHFubu V1pdHrCH8iUL9OBctdPwQyTiDGTUKl4JBeicrs1nKI4rzZF+ppECOuyyIZGctbcktk 0JQWVK/EtKldg== X-Virus-Scanned: Debian amavisd-new at disroot.org Received: from knopi.disroot.org ([127.0.0.1]) by localhost (mail01.disroot.lan [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id npEAgYHzpcZE; Sat, 28 Apr 2018 14:53:57 +0200 (CEST) Subject: Re: Exploit Lecture: Writing FreeBSD Malware DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1524920037; bh=Uwo5uSvv3X5V8rx6h9WYGVNmosULzlNxiPKK/XFB6+Y=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=OvJhP1GCfDWMcqwEO2LXpTLAI6/fhzi2Lz/vDtQ6GIT0ieP20lhiVYZGMMEvN8LEp VgyqiD3ZD5j1eQWU2mevBOOSpTLMjqNXYwULyNJkVXhAkEPnOg3EbA62oFLZLIlvr0 q7X1WDqjbA8/hYz6QGxbr01spGizR8chsM3x4+AN5uA8ruvWME4vTLBScLw7NZeBTe Vm8vDdF70tPDrW41HNZDVP+Bz0N4YRsaVz0xYGVAAnXGGX1eqZVFy2cDDffurbxfQ7 mIxCf4QukhcqrW34w4yce8h0rdu7SrFeOfgrdukD2Ish4cQ1gRIrX5zKa0eJNanmDL Gq7F7xxPAcSLQ== To: grarpamp@gmail.com, freebsd-security@freebsd.org Cc: freebsd-hackers@freebsd.org, freebsd-questions@freebsd.org References: From: "Peter G." Message-ID: Date: Sat, 28 Apr 2018 14:53:46 +0200 Mime-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Apr 2018 12:54:02 -0000 Webb, next time when talking to any audience, remove your fucking hat. That's basic human courtesy. -- PG On 28/04/2018 04:39, grarpamp wrote: > https://www.youtube.com/watch?v=bT_k06Xg-BE > > Without exploit mitigations and with an insecure-by-default design, > writing malware for FreeBSD is a fun task, taking us back to 1999-era > Linux exploit authorship. Several members of FreeBSD's development > team have claimed that Capsicum, a capabilities/sandboxing framework, > prevents exploitation of applications. Our in-depth analysis of the > topics below will show that in order to be effective, applying > Capsicum to existing complex codebases lends itself to wrapper-style > sandboxing. Wrapper-style sandbox is a technique whereby privileged > operations get wrapped and passed to a segregated process, which > performs the operation on behalf of the capsicumized process. With a > new libhijack payload, we will demonstrate that wrapper-style > sandboxing requires ASLR and CFI for effectiveness. FreeBSD supports > neither ASLR nor CFI. Tying into the wrapper-style Capsicum defeat, > we'll talk about advances being made with libhijack, a tool announced > at Thotcon 0x4. The payload developed in the Capsicum discussion will > be used with libhijack, thus making it easy to extend. We will also > learn the Mandatory Access Control (MAC) framework in FreeBSD. The MAC > framework places hooks into several key places in the kernel. We'll > learn how to abuse the MAC framework for writing efficient rootkits. > Attendees of this presentation should walk away with the knowledge to > skillfully and artfully write offensive code targeting both the > FreeBSD userland and the kernel. > > https://twitter.com/lattera/status/989602709950029824 > > Shawn Webb is a cofounder of HardenedBSD, a hardened downstream > distribution of FreeBSD. With over a decade in infosec, he dabbles in > both the offensive and defensive aspects of the industry. On the > advisory board for Emerald Onion, Shawn believes in a more free and > open Internet. His whole house is wired for Tor. Getting on the Tor > network is only a network jack away!