[CALUG] April 11 Meeting Announcement - Shawn Webb on BSD Malware
Chuck Frain
chuck at chuckfrain.net
Thu Apr 5 20:32:10 EDT 2018
Greetings All!
For our April 11th meeting we'll be welcoming Shawn Webb of the HardenedBSD
porject.
Without exploit mitigations and with an insecure-by-default design, writing
malware for FreeBSD is a fun task, taking us back to 1999-era Linux exploit
authorship.
Several members of FreeBSD's development team have claimed that Capsicum, a
capabilities/sandboxing framework, prevents exploitation of applications.
Our in-depth analysis of the topics below will show that in order to be
effective, applying Capsicum to existing complex codebases lends itself to
wrapper-style sandboxing. Wrapper-style sandbox is a technique whereby
privileged operations get wrapped and passed to a segregated process, which
performs the operation on behalf of the capsicumized process. With a new
libhijack payload, we will demonstrate that wrapper-style sandboxing
requires ASLR and CFI for effectiveness. FreeBSD supports neither ASLR nor
CFI.
Tying into the wrapper-style Capsicum defeat, we'll talk about advances
being made with libhijack, a tool announced at Thotcon 0x4. The payload
developed in the Capsicum discussion will be used with libhijack, thus
making it easy to extend.
We will also learn the Mandatory Access Control (MAC) framework in FreeBSD.
The MAC framework places hooks into several key places in the kernel. We'll
learn how to abuse the MAC framework for writing efficient rootkits.
Attendees of this presentation should walk away with the knowledge to
skillfully
and artfully write offensive code targeting both the FreeBSD userland and
the kernel.
This presentation dives in depth regarding:
1) defeating wrapper-style Capsicum sandboxing with ret2sandbox_open
2) easy runtime process infection on amd64 and arm64
3) abusing the MAC framework to write rootkits
Shawn Webb is a cofounder of HardenedBSD, a hardened downstream distribution
of FreeBSD. With over a decade in infosec, he dabbles in both the offensive
and defensive aspects of the industry. On the advisory board for Emerald
Onion, Shawn believes in a more free and
open Internet. His whole house is wired for Tor. Getting on the Tor network
is only a network jack away!
We will be hosted at the UMBC Training Center, located at 6996 Columbia
Gateway Dr #100, Columbia, MD 21046. When you walk in through the main
lobby make a right. We will be at the end of the hall in the last room on
the right. Our friends at Aplura will be providing the pizza and soda
starting at 6:30. The talk will start about 7pm.
We are looking for speakers for the upcoming months. If you have a topic
you would like to present on, please let me know and I'll get you scheduled.
http://calug.org
https://www.umbctraining.com/Home
https://aplura.com
https://hardenedbsd.org
--
Chuck Frain
GPG Key: B2420431
http://www.chuckfrain.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.unknownlamer.org/pipermail/calug/attachments/20180405/c862ac32/attachment-0001.html>
More information about the CALUG
mailing list