But I did want to share it as it directly effects our favorite OS.
The latest development version (8.0-CURRENT at the time of this writing) of FreeBSD has introduced stack-smashing detection and protection for the kernel by utilizing the incorporation of SSP in GCC [1, 2]. This creates an increased interest in exploring the FreeBSD kernel heap implementation, or zone allocator to be more precise, from a security perspective since it currently provides no exploitation mitigation mechanisms.
This paper presents my findings on exploiting FreeBSD's kernel memory allocator, or UMA - the universal memory allocator [3, 4], on the IA-32 platform. While a certain amount of knowledge of the FreeBSD kernel's internals and IA-32 assembly would be useful in following the paper, they are not strictly required. All presented details and supporting code have been tested on FreeBSD 7.0, 7.1, 7.2 and 8.0-CURRENT from 20090511, but since 7.2 is the latest stable version all code excerpts have been taken from it.
Read more here: http://www.phrack.org/issues.html?issue=66&id=8#article