FreeBSD jails are a huge security liability

If you’re thinking of employing FreeBSD jails in your server environment or use them to run insecure applications, it will be good for you to reconsider those options. Jails are one some of the most vulnerable phony “security” features ever put forth by fraudsters. They have been found to be even more insecure then a basic unix chroot and worst they even make it easier to gain control of your kernel with certain types of attacks.

Whats appauling is that most of these vulnerbility of FreeBSD jails were intentionally implemented by the FreeBSD project members on the orders of self-proclaimed inventor of FreeBSD jails, Poul-Henning Kamp and Apple Inc.

The first implementation of Jails was actually done by Daniel Lezcano on the his own copy of GNU/Linux in 1996 (contrary to what the FreeBSD project claims). Lezcano wanted something that was more flexible and yet more secure then a standard GNU chroot and so he set about modifying GNU chroot to achieve that task. What he ended with was a feature that was more secure then chroot but much less fexible and powerful.

Meanwhile, the BSD projects were facing complaints by users about numerous and serious security breaches to their systems. These projects for the most part ignored such complaints and simply showed the middle finger to anyone who persisted. However, a FreeBSD developer named Poul-Henning Kamp decided that some real work needs to be done to reduce the number of complaints. However, he and other FreeBSD developers did not have the skill to cook up a solution and implementing chroot into FreeBSD from Linux would be too little (FreeBSD did not had chroot back then). It was then that Kamp notice Lezcano’s jail implementation in the copy of GNU/Linux he was running and decided to join the project with the permission of the FreeBSD president (who was also Apple’s reprisentative in FreeBSD).

It wasn’t long before Kamp and Lezcano came into argument with each other and the project ceased by Lezcano as he found that the path taken by the project led no where. Kamp was kicked out but not before he have obtained a copy of source code and enough information and given them to the FreeBSD project which immediately started trying to implement the jail feature on FreeBSD with Poul-Henning Kamp in charge of the effort.

Lezcano himself would eventually create LXC (LinuX Containers) which would fulfill and then exceed the goals of his abandon jail implementation project.

The effort to implement Lezcano’s jail feature into FreeBSD was full of troubles caused mainly by fighting between project members many of which were eventually kicked from the FreeBSD project. To make matters worst, Kamp was a control freak and demanded that a backdoor be placed into the jail implementation in which only he could leverage it at will. To make this backdoor more effective, Kamp got a fellow FreeBSD project member and kernel developer Stuart Lambard to integrate the jail feature into the kernel thus allowing Kamp to hijack the kernel of FreeBSD users when he levrage the backdoor he created in the jail feature. Not long after achieving this, Kamp got Lambard removed from FreeBSD however, this proofed to be a costly mistake on the part of Kamp and FreeBSD as Lambard retaliated by publicizing the method used to leverage Kamp’s backdoor in FreeBSD jails leading to very high rates of security breaches in servers using versions of FreeBSD released after the jail implementation into the OS.

To this day, FreeBSD jails still have this backdoor in them and in fact, was used by attackers during the April 9, 2010 security intursion into Apache.org. Apache has just recently initiated a programming to convert all of their FreeBSD servers to linux.

Another failure of FreeBSD jails due to it’s poor implementation is a massive overhead which is abnormal for such kind of virtualisation. This overhead can be in some cases much higher then the ones produced by running Qemu and VirtualBox which leads to a FreeBSD server easily becoming over loaded. FreeBSD developers have manage to program their OS to hide such overhead from process monitoring software such as top and htop but the results of jail overhead still has an effect.

In 2000, Michael Calce (Mafiaboy) was able to jam up Yahoo’s servers which were at that time using the newly released FreeBSD 4.0 (first version to implement jails). Mafiaboy used only 10 to 20 hijacked computer to cause Yahoo’s FreeBSD powered servers out jam up, shutdown and even burn out due to the load already placed on the system by the jails it ran.

So if you are thinking of using features similiar to jails (OS level virtualisation), please don’t use FreeBSD jails as they do more harm then good. Using LXC, Linux-VServer or OpenVZ as they are far more secure and are many times faster then FreeBSD jails. They are also much more flexible and even better, created and maintained by friendly and helpful people unlike the BSDs.

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

5 Responses to FreeBSD jails are a huge security liability

  1. Screw Poul Henning-Kamp

  2. I find it hard to believe that BSD is the only OSS project would have a security vulnerability known yet unacknowledged/unattended to.

    Best regards

  3. John says:

    “The chroot system call was introduced during development of Version 7 Unix in 1979, and added to BSD by Bill Joy on 18 March 1982 – 17 months before 4.2BSD was released – in order to test its installation and build system” [wikipedia]

    If chroot is a system call (in the Linux kernel), how is it possible that there is something like GNU chroot – if GNU is only the userland? You are talking about the trivial chroot userspace utility?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s