CharmBUG Presentation - Writing FreeBSD Malware

Our next formal CharmBUG meeting will be held at Onyx Point in Hanover, MD. The goal for this meeting will be to discuss any BUG topics, or general issues, followed by a presentation on writing FreeBSD Malware.

Information from Onyx Point:

Our office building may require assistance for wheelchair accessibility. Please use the telephone number on the door if you have access issues or have arrived late. Restrooms and on-site parking are available.

Thanks go out to Onyx Point for allowing us to host our CharmBUG meetup in their office space.

The abstract for the "Writing FreeBSD Malware" presentation is as follows:

Without exploit mitigations and with an insecure-by-default design, writing malware for FreeBSD is a fun task, taking us back to 1999-era Linux exploit authorship.

Several members of FreeBSD's development team have claimed that Capsicum, a capabilities/sandboxing framework, prevents exploitation of applications. Our in-depth analysis of the topics below will show that in order to be effective, applying Capsicum to existing complex codebases lends itself to wrapper-style sandboxing. Wrapper-style sandbox is a technique whereby privileged operations get wrapped and passed to a segregated process, which performs the operation on behalf of the capsicumized process. With a new libhijack payload, we will demonstrate that wrapper-style sandboxing requires ASLR and CFI for effectiveness. FreeBSD supports neither ASLR nor CFI.

Tying into the wrapper-style Capsicum defeat, we'll talk about advances being made with libhijack, a tool announced at Thotcon 0x4. The payload developed in the Capsicum discussion will be used with libhijack, thus making it easy to extend.

We will also learn the Mandatory Access Control (MAC) framework in FreeBSD. The MAC framework places hooks into several key places in the kernel. We'll learn how to abuse the MAC framework for writing efficient rootkits.

Attendees of this presentation should walk away with the knowledge to skillfully and artfully write offensive code targeting both the FreeBSD userland and the kernel.

This presentation dives in depth regarding:

1. defeating wrapper-style Capsicum sandboxing with ret2sandbox_open
2. easy runtime process infection on amd64 and arm64
3. abusing the MAC framework to write rootkits