Skip to content

RoundofThree/damn-vulnerable-freebsd-kernel-module

Repository files navigation

DVKM for CheriBSD

Damn Vulnerable Kernel Module for FreeBSD (untested) and CheriBSD (purecap and hybrid kernels). This is a work-in-progress research prototype. Analysis in another repository.

Vulnerabilities

  • Buffer overflow (write)
    • Stack
      • Standard
      • Subobject
    • Heap
      • General purpose kmem
        • Standard
        • Subobject
      • Dedicated UMA zone
        • Standard
        • Subobject
  • Linear memory disclosure (read)
    • Stack
      • Standard
      • Subobject
    • Heap
      • General purpose kmem
        • Standard
        • Subobject
      • Dedicated UMA zone
        • Standard
        • Subobject
  • Heap use after free (trigger malloc, free, read and write in separate invocations)
    • General purpose kmem zone (speify the size)
    • Dedicated UMA zone (specify the name)
  • Stack use after free (TODO: hardcoded, how do I make it more flexible?)
  • Arbitrary memory disclosure (read)
  • Arbitrary overwrite (write)
  • Arbitrary integer/pointer increment
  • Pointer hijack (TODO)
  • Uninitialized memory (read/write)
    • Stack
    • Heap
  • Double fetch
  • Leak pagetable l0

Build instructions

In a FreeBSD host, (untested)

make

In a CheriBSD host, to build a A64 module for a hybrid kernel,

env MACHINE_ARCH=aarch64 make

And to build a C64 module for a purecap kernel,

make

Build artifacts are in obj/.

Issues

  • Due to CHERI_CAPREVOKE and CHERI_CAPREVOKE_STATS macros, the offsets of vm_map emitted by the compiler (native compiling in a Morello box) won't match the kernel offsets.

References

About

An intentionally vulnerable CheriBSD kernel module for research purposes.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published