1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October 23 2003.

Slides:



Advertisements
Similar presentations
Lectures on File Management
Advertisements

Computer System Organization Computer-system operation – One or more CPUs, device controllers connect through common bus providing access to shared memory.
Tutorial 3 - Linux Interrupt Handling -
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Implementing an Untrusted Operating System on Trusted Hardware.
Operating System Security : David Phillips A Study of Windows Rootkits.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Guardian Kernel Module Sarah Diesburg & Louis Brooks.
Memory Management (II)
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.
Cs238 Lecture 3 Operating System Structures Dr. Alan R. Davis.
Lecture 11 Reliability and Security in IT infrastructure.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
1 Process Description and Control Chapter 3 = Why process? = What is a process? = How to represent processes? = How to control processes?
Software Development and Software Loading in Embedded Systems.
Chapter 13: I/O Systems I/O Hardware Application I/O Interface
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Introduction to Embedded Systems
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Protection and the Kernel: Mode, Space, and Context.
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Maryland Information Systems Security Lab Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor Nick L. Petroni, Jr. Timothy.
Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.
Lecture 3 Process Concepts. What is a Process? A process is the dynamic execution context of an executing program. Several processes may run concurrently,
Attack Plan Alex. Introduction This presents a step-by-step attack plan to clean up an infected computer This presents a step-by-step attack plan to clean.
Mathieu Castets October 17th,  What is a rootkit?  History  Uses  Types  Detection  Removal  References 2/11.
Hardware process When the computer is powered up, it begins to execute fetch-execute cycle for the program that is stored in memory at the boot strap entry.
Troubleshooting and Performance
1 The Guardian Kernel Module Sarah Diesburg, Louis Brooks June 5, 2006.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
Operating Systems Lecture November 2015© Copyright Virtual University of Pakistan 2 Agenda for Today Review of previous lecture Hardware (I/O, memory,
Hidden Processes: The Implication for Intrusion Detection
Lecture Topics: 10/29 Architectural support for operating systems –timers –kernel mode –system calls –protected instructions.
CE Operating Systems Lecture 2 Low level hardware support for operating systems.
n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.
Process Description and Control Chapter 3. Source Modified slides from Missouri U. of Science and Tech.
CE Operating Systems Lecture 2 Low level hardware support for operating systems.
Hardware process When the computer is powered up, it begins to execute fetch-execute cycle for the program that is stored in memory at the boot strap entry.
Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw (ONL)
Lecture 7 Rootkits Hoglund/Butler (Chapter 5-6). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to.
Class Presentation Pete Bohman, Adam Kunk, Erik Shaw (ONL)
CSE 451: Operating Systems Winter 2015 Module 25 Virtual Machine Monitors Mark Zbikowski Allen Center 476 © 2013 Gribble, Lazowska,
VMM Based Rootkit Detection on Android
Module 6: Administering Reporting Services. Overview Server Administration Performance and Reliability Monitoring Database Administration Security Administration.
Improving the Reliability of Commodity Operating Systems Michael M. Swift, Brian N. Bershad, Henry M. Levy Presented by Ya-Yun Lo EECS 582 – W161.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
Introduction Contain two or more CPU share common memory and peripherals. Provide greater system throughput. Multiple processor executing simultaneous.
BareDroid Presenter: Callan Christophersen. What is BareDroid BareDroid is a system to analyse Android apps on real devices with no emulation. It uses.
IDS And Tripwire Rayhan Mir COSC 356. What is IDS IDS - Intrusion detection system Primary function – To monitor network or host resources to detect intrusions.
Computer System Structures
Introduction to Operating Systems
Mechanism: Limited Direct Execution
Computer Architecture
Operating System Structure
Hidden Processes: The Implication for Intrusion Detection
Introduction to Operating Systems
Chap 10 Malicious Software.
Hiding Malware Rootkits
Operating Systems Lecture 3.
Chap 10 Malicious Software.
CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors
In Today’s Class.. General Kernel Responsibilities Kernel Organization
Dirty COW Race Condition Attack
Presentation transcript:

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Outline ● Protection – St Michael – What it does – How it works – Strengths and weaknesses ● Detection – Statistical detection of modified system calls – Strengths and weaknesses

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class St Michael ● Source Forge Project – – Extension of the St Jude Project ● Attempts to protect kernel from root kitting through various means – MD5 several critical memory regions – Makes backup of kernel text – Timers run periodic checks – Checks automatically run during module insertion

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Monitoring Critical Regions ● MD5 are calculated for several critical, non-volatile regions – Kernel text – System call table ● Timers run periodic calculations of the current MD5's and compare them to the saved values ● Several calls automatically trigger a check – Exit – Module create, delete, and init

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Recovering from attempts ● Backups are made of kernel text ● Backup is encrypted through simple means ● If changes are detected, the module will attempt to decrypt the backup and restore it. ● If too many attempts are detected, the system automatically reboots

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Other Measures ● Module goes to some lengths to conceal itself – Decrypts several backups – During module initialization, some data structures and text are erased – The module is “cloaked” by removing it from the linked list of loaded modules ● Implements checks of some file system data to detect changes (possibly by writing to the raw device). ● Implements immutable files to prevent modification of files like init, kernels, insmod, etc. ● Protects kmem

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class StMichael – Strengths and Weaknesses ● Strengths – Significantly raises the bar to trying to insert malicious code into the kernel. – Protection of kmem makes it more difficult to insert malicious code – Hashes detect typical changes performed by a root kit – Any failed attempt will trigger warnings and log messages ● Weakness – If attacker knows StMichael is loaded, they can use a kernel module to try and determine locations of key SM data structures and disable it. – As new root kit methods are designed, St Michael has to be updated to protect against those.

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Detection ● Phrack Article – Volume 11, Issue 59, Article 10 - Execution path analysis: finding kernel based rootkits by Jan K. Rutkowski ● Describes method for detecting root kits based on number of operations required to perform standard systems calls ● Proof of concept – PatchFinder implements the methods JR describes

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Detection – Intro ● Current Kernel based root kits typically use modified system calls to hide malicious files, network connections, and processes. ● By their very nature these modified system calls perform various checks before calling the unmodified system call. ● Although these checks are usually simple, they do add additional instructions. ● If these additional instructions can be statistically distinguished, this can be used to detect a modified kernel.

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Detection – Instruction Counting ● If the processor allows, the instructions counted for performing various system calls can be counted. ● Intel ia32 supports a single step mode. However, the trace flag is automatically cleared when the processor receives an interrupt or exception. ● PatchFinder uses ptrace flag in processor descriptor to determine if the CPU trace flag should be enabled in kernel mode. ● Modifies system call entry point to test ptrace flag. ● Modifies sys_ptrace to retrieve the number of instructions.

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Detection – Testing ● Once the module is loaded, a base line can be created for a given system and kernel. ● Testing done with some published kernel root kits (adore, SucKIT, etc) are detected one way or another – Most root kits will show instruction counts that are significantly different than the baseline. – SucKIT is detected because no results are returned since the modified sys_ptrace is never called.

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Detection – Strengths and Weaknesses ● Strengths – Once again it makes it much harder to implement a rock solid root kit ● Weaknesses – The malicious code is already loaded. If patch finder (or a similar method) is expected, the malicious code can attempt to return the expected values. This might involve testing the trace flag. However, this would be pretty tricky and tedious and any mistakes would trigger an alarm.

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Conclusions ● StMichael and PatchFinder can significantly raise the bar for implementing a fool proof kernel root kit. ● However, root kits are moving targets, so a static approach is unlikely to work forever.