Playing with Sandbox: An analysis of Capsicum

Blog post written by me and originally posted in 2015 on an information security company blog. Reproduced only for historical reasons.

Introduction

In this post we talk a little about sandbox. People that work and study software exploitation know the sandbox concept. This kind of feature when properly implemented on a system makes hard to exploit some kind of vulnerabilities, especially that involving memory corruption. In wikipedia we have a good reference about this:

“In computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third parties, suppliers, untrusted users and untrusted websites. A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted.”

The sandbox is a security mechanism that separates running processes. Basically we have a process with least privileges (target) and another process with greater privileges (broker). If the process with least privileges need execute some operation that is not allowed, a request is sent to the process with greater privileges that checks whether the operation has permissions to be executed and run with return to target (process with least privilege). Sandbox normally is used to protect the application and can also be used to provide a restricted environment for execute and test some malicious binaries, one example of this is Cuckoo Sandbox that used for malware analysis.

In this post we talk about Capsicum[1], is that a kind of sandbox developed by the University of Cambridge that support several common commands of the system such as tcpdump[2], hastd, dhclient, kdump and sshd as mentioned in the website[3]. The Capsicum is a new kind of sandbox but we have support for use in the FreeBSD and Linux[4]. The first experimental version was made only for FreeBSD[5] and available since version 9.0. This sandbox add two new features to the system, called capability mode and capabilities.

Here we introduced a rapid explanation about two modes. Capability mode is the feature that enable for the developers isolate processes allowing only that some system calls execute some tasks reducing the permissions of the process. Capabilities enables a more refined control over the files and devices. This post has more focus on the capability mode.

Continue reading “Playing with Sandbox: An analysis of Capsicum”

The role of hypothesis and a (old) way to escalate privileges on FreeBSD – O papel da hipótese e um modo de escalar privilégios no FreeBSD

English / Português

English:

I do not remember when, but certain day I decided to look for vulnerabilities in the FreeBSD kernel. As it was a long time ago, I do not remember almost any detail of the process, I just remember I found one NULL pointer dereference without reading the source code or using fuzzing techniques. Nowadays that is not one of the most interesting vulnerabilities because is necessary some tweaks  to be vulnerable and to allow exploitation but my goal with this post is also to write a bit about the discovery process.

Português:

Não lembro exatamente quando, mas um certo dia, decidi começar a procurar vulnerabilidades no kernel do FreeBSD. Como faz muito tempo, não lembro de quase nenhum detalhe do processo, apenas lembro, que sem ler o código-fonte e sem  usar técnicas de fuzzing, acabei descobrindo um NULL pointer dereference. Nos dias atuais essa não é uma das vulnerabilidade mais interessantes porque precisa de alguns ajustes para estar vulnerável e permitir a exploração, mas meu objetivo nesse post é também escrever um pouco sobre o processo de descoberta.

Continue reading “The role of hypothesis and a (old) way to escalate privileges on FreeBSD – O papel da hipótese e um modo de escalar privilégios no FreeBSD”