Hacking UNIX with FreeBSD Jail(8), Secure Virtual Servers

Presented at DEF CON 14 (2006), Aug. 5, 2006, 1 p.m. (50 minutes).

FreeBSD Jails are a time-tested, secure UNIX virtual machine with endless uses. Early unix mainframe computing brought elegant process and resource sharing systems, which helped get more application use out of expensive hardware. These concerns have been largely been pushed aside in computing with the rise of desktop PCs, and large farms of ever-shrinking pizza boxes in the data center. Today, as more punch gets packed into 1u than ever, server resources can be further consolidated and abstracted to securely separate complex and sophisticated services in the same hardware server, by running secure virtual UNIX machines. Who wants jails? System Administrators who need to securely separate small yet important services. Software Developers who always need more dev machines to hack amok. Root-Kit Testing and Debugging. Educators who could use virtual machines to provide clean unix server systems for student use. Anyone who wants *secure* virtual machines. Why would you want jail(8)? The design of Jail(8) and jail(2) are small and secure, and because jails use native system utilities, they are simple for any unix hacker to work with- very shallow learning curve. They're great for userland-level hacking and development, honeypots, or highly available services for regularly attacked systems. What I'd like to talk about: How Jails Work, the technical nitty-gritty How to setup jails, the practical how-to, cooking show style... When NOT to use jails jail(8) security vulnerabilities/considerations, attacking and breaking out of jail(8) mitigating the risks of attacks and jail(8)breaks Jails vs. Linux UML, XEN, VMware- fundamental technical differences

Presenters:

  • Isaac Levy (.ike)
    Isaac Levy, (.ike) is an Open Source web-application developer based in New York City. He runs Diversaform Inc. as a business platform to make his code feed itself, (and ike). Diversaform specializes in BSD based solutions, web applications, and specialty network applications. Ike works as an consultant/developer mostly with small and medium sized business, but periodically works within large corporations and organizations. Ike's personal passions lie in object-relational persistent data systems, and UNIX hacking, and the internet at large. His 'young adult' life in computing has been lived almost entirely in Open Source, as well as on the internet, and ike aspires to give back to the Open Source and UNIX Hacker communities that have raised him. Isaac is a proud member of NYC*BUG (the New York City *BSD Users Group), and a long time member of LESMUUG, (the Lower East Side Mac Unix Users Group).

Links:

Similar Presentations: