KERNEL EXPLOITATION

FreeBSD

We have investigated in depth the exploitation of kernel vulnerabilities on the FreeBSD operating system. Our research on this subject is divided into three parts.

The first part covers the exploitation of kernel stack overflow vulnerabilities. In order to assist vulnerability researchers explore the FreeBSD kernel we have prepared a step-by-step debugging guide in the following article:

Our development process for FreeBSD kernel stack exploits has been documented in the article below:

Detailed results on the subject, along with a hands-on workshop, were presented at the University of Piraeus Software Libre Society Event #16 on Computer Security:

The second part of our research focuses on a security analysis of the Universal Memory Allocator (UMA), the FreeBSD kernel's memory allocator. We demonstrate how UMA overflows can lead to arbitrary code execution in the context of the FreeBSD kernel, and we develop an exploitation methodology for privilege escalation and kernel continuation:

Our definitive all-inclusive work on the subject of FreeBSD kernel exploitation was presented in Barcelona at Black Hat Europe 2010 Briefings. The talk included an exploitation demo of a 0-day vulnerability we had discovered (CVE-2010-2020):

The third part of our research consists of vulnerabilities that we have discovered in the FreeBSD kernel and the reliable exploits we have developed for them.

We have also developed exploits for known FreeBSD kernel vulnerabilities, such as the following:

Linux

Linux kernel allocator study:

Vulnerabilities we have discovered in the Linux kernel:

OpenSolaris

Proof-of-concept exploits for known vulnerabilities of the OpenSolaris kernel.