Hacker News new | ask | show | jobs
by X86BSD 3121 days ago
This is the most blatant and clearly incorrect... FUD?..lie?... I have ever heard to date about jails.

Jails are secure. As are SmartOS zones. Whoever you heard that there are “many instances of breaking out of a jail” from is full of sh47. And you would be wise to never listen to them ever again. No really, EVER.

And no, breaking the ps4 was not a jail exploit. The attacker already had elevated privileges. So you would be sunk no matter what.
2 comments
jchw 3121 days ago
Sheesh, no need to get so emotional about it. I said instances of breaking out, not instances of jail exploits. I don't know of any jail-specific exploits.

But when we say "elevated privileges" are we talking root inside of a jail? Because if that breaks jails, then a large class of Docker exploits also wouldn't classify as 'exploits' under that criteria. One of the biggest problems with Linux namespaces is the band-aid put over root, via capabilities.

As far as I know, though, the PS4 exploit was more Sony's fault. IIRC, they broke out of the jail by exploiting custom syscalls not in stock FreeBSD. Bugs in syscalls in FreeBSD aren't unheard of though, even if less commonly found than Linux.

My entire point is that good security implies not treating any solution as a panacea, lest you find yourself in a digital Titanic scenario. Multiple layers of solid security beats one layer of solid security.

link
chatmasta 3120 days ago
> Bugs in syscalls in FreeBSD aren't unheard of though, even if less commonly found than Linux.

Dangerous assumption.

More likely, there are fewer people looking for vulnerabilities in BSD than in Linux.

link
jchw 3120 days ago
Well, I did say

>less commonly found

rather than less common. Impossible to know with 100% certainty what's literally less common.

If I had to guess, I'd guess FreeBSD had less bugs in general, just because the surface is generally smaller, and the system is more homogeneous.

link
benmmurphy 3121 days ago
i believe there was an exploit by another team which used badiret. which is pretty hilarious because badiret has been patched ages ago but FreeBSD never told anyone they fixed it.
link
GalacticDomin8r 3121 days ago
You mean like this?

https://www.freebsd.org/security/advisories/FreeBSD-SA-15:21...

link
benmmurphy 3121 days ago
yeah it was fixed in 2014 and there wasn't an advisory until 2015. https://reviews.freebsd.org/rS275833

hn discussion: https://news.ycombinator.com/item?id=10093862

link
benmmurphy 3121 days ago
yeah there are probably not many 'jail' exploits specifically targeted for getting out of jail/exploiting jail primitives. but people just use normal kernel exploits to get out of jail/zones. i would say jails/zones are about as secure as linux containers. ie: about as secure as the linux kernel is.
link
X86BSD 3121 days ago
And you would be wrong.
link
helper 3120 days ago
The person you are replying to has discovered multiple exploitable bugs in Illumos via DTrace from inside zones:

Here are the first two that pop up if you google his name. http://www.zerodayinitiative.com/advisories/ZDI-16-168/ http://www.zerodayinitiative.com/advisories/ZDI-16-274/

He gave a talk at DTrace conf 2016 about all the security vulnerabilities he personally found in DTrace in SmartOS. Here are the slides: http://slides.com/benmurphy/deck

link