DVKM for CheriBSD

Damn Vulnerable Kernel Module for FreeBSD and CheriBSD (purecap kernel). This is a work-in-progress research prototype tool.

Vulnerabilities

• Buffer overflow (write)
  • Stack
    • Standard
    • Subobject
  • Heap
    • General purpose kmem
      • Standard
      • Subobject
    • Dedicated UMA zone
      • Standard
      • Subobject
• Linear memory disclosure (read)
  • Stack
    • Standard
    • Subobject
  • Heap
    • General purpose kmem
      • Standard
      • Subobject
    • Dedicated UMA zone
      • Standard
      • Subobject
• Heap use after free (trigger malloc, free, read and write in separate invocations)
  • General purpose kmem zone (speify the size)
  • Dedicated UMA zone (specify the name)
• Stack use after free (TODO: hardcoded, how do I make it more flexible?)
• Arbitrary memory disclosure (read)
• Arbitrary overwrite (write)
• Arbitrary integer/pointer increment
• Pointer hijack (TODO)
• Uninitialized memory (read/write)
  • Stack
  • Heap
• Double fetch
• Leak pagetable l0

Build instructions

It's only tested with clang.

In a FreeBSD host,

make

In a CheriBSD host, to build a A64 module for a hybrid kernel,

env MACHINE_ARCH=aarch64 make

And to build a C64 module for a purecap kernel,

make

Build artifacts are in obj/.

Issues

• Due to CHERI_CAPREVOKE and CHERI_CAPREVOKE_STATS macros, the offsets of vm_map emitted by the compiler (native compiling in a Morello box) won't match the kernel offsets.

References

• Damn Vulnerable Kernel Module for kernel fuzzing
• HackSys Extreme Vulnerable Driver (HEVD)