From the 39c3: Escaping Containment: A Security Analysis of FreeBSD Jails

[POSIX.1]

[39c3] Escaping Containment: A Security Analysis of FreeBSD Jails

FreeBSD’s jail feature is one of the oldest and most mature OS-level isolation mechanisms in use today, powering hosting environments, container frameworks, and security sandboxes. But as with any large and evolving kernel feature, complexity bree...

fahrplan.events.ccc.de

Live stream today 16:15 UTC: Fuse – 39C3

 

[Crivens]

Are you there?

 

[rbranco]

Details will be available on https://github.com/iljavs/FreeBSD-Jail-Security-Research-Mirror

 

[cracauer@]

I am there in case anyone wants to meet.

Good talk, already worth the whole congress.

 

[Crivens]

I'll just drop off the kids and head to the train station tomorrow morning. There was no ticket for me, and I had no space in my schedule anyway. Maybe in the afternoon on the plaza at the entry, depends on several things...

 

[Phishfry]

Well what was the verdict? I see 5 POC in the repo but the first one is using ipf. So 4 POC I care about..

How bad are they?

 

[cracauer@]

Video will be posted shortly on media.ccc.de.

The bugs mentioned in public are already fixed.

 

[cracauer@]

Escaping Containment: A Security Analysis of FreeBSD Jails

FreeBSD’s jail mechanism promises strong isolation—but how strong is it really? In this talk, we explore what it takes to escape a compro...

media.ccc.de

 

[cracauer@]

The short of it:

• There are many kernel subsystems that predate jails and were written with a "root is root" assumption. Later "jail root is not universally root" came in but wasn't completely backpatched to all those subsystems.
• Some sysctls give kernel data useful to help exploitation, for system stat utilities. This should be solved differently.
• Using Rust would have prevented a majority of the bugs found (I think they said majority).
• They also recommend turning on integer overflow/underflow checking if your language supports it.

 

[Crivens]

I'm getting a 503 at the moment. So if you get that too, it's not only you.

 

[rdog]

A thing I'm really curious about, would these appear as security advisories? I'm a bit concerned they don't seem to be, but also I'm not familiar with the process.

 

[cracauer@]

A thing I'm really curious about, would these appear as security advisories? I'm a bit concerned they don't seem to be, but also I'm not familiar with the process.

Good question. But there are some more code changes to do.