Guardian Kernel Module Sarah Diesburg & Louis Brooks.

Slides:



Advertisements
Similar presentations
Computer System Laboratory
Advertisements

Lectures on File Management
Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.
Module R2 CS450. Next Week R1 is due next Friday ▫Bring manuals in a binder - make sure to have a cover page with group number, module, and date. You.
A new device driver for a video frame grabber Binh Tran – Lucie Ngnepieba Term Project – Kernel Device – Summer 2006.
CPIT 102 CPIT 102 CHAPTER 1 COLLABORATING on DOCUMENTS.
Linking & Loading CS-502 Operating Systems
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
Threats to privacy in the forensic analysis of database systems Patrick Stahlberg, Gerome Miklau, and Brian Neil Levine Department of Computer Science.
Data Structures: A Pseudocode Approach with C
Homework 6 Sarah Diesburg Operating Systems CS 3430.
Hashing21 Hashing II: The leftovers. hashing22 Hash functions Choice of hash function can be important factor in reducing the likelihood of collisions.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October
A Guide to SQL, Seventh Edition. Objectives Create a new table from an existing table Change data using the UPDATE command Add new data using the INSERT.
C++ Programming: Program Design Including Data Structures, Third Edition Chapter 17: Linked Lists.
CS 333 Introduction to Operating Systems Class 18 - File System Performance Jonathan Walpole Computer Science Portland State University.
Run time vs. Compile time
System-level Virtualization for HPC: Recent work on Loadable Hypervisor Modules Systems Research Team Computer Science and Mathematics Division Oak Ridge.
Orchestra: Intrusion Detection Using Parallel Execution and Monitoring of Program Variants in User-Space Babak Salamat, Todd Jackson, Andreas Gal, Michael.
Introduction to Processes CS Intoduction to Operating Systems.
© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Memory: Relocation.
ICOM 4035 – Data Structures Lecture 3 – Bag ADT Manuel Rodriguez Martinez Electrical and Computer Engineering University of Puerto Rico, Mayagüez ©Manuel.
1 The Guardian Kernel Module Sarah Diesburg, Louis Brooks June 5, 2006.
Database Security Outline.. Introduction Security requirement Reliability and Integrity Sensitive data Inference Multilevel databases Multilevel security.
Project 2 kthreads, concurrency, shuttle. Highlevel overview User space –program wants to control the shuttle simulation by sending requests. –start_shuttle()
LOGO System Call. Introduction System call is the mechanism used by an application program to request service from the OS. Users use it to communicate.
Chapter 5: Hashing Collision Resolution: Open Addressing Extendible Hashing Mark Allen Weiss: Data Structures and Algorithm Analysis in Java Lydia Sinapova,
CS333 Intro to Operating Systems Jonathan Walpole.
CSC414 “Introduction to UNIX/ Linux” Lecture 2. Schedule 1. Introduction to Unix/ Linux 2. Kernel Structure and Device Drivers. 3. System and Storage.
© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Operating Systems Processes and Threads.
Lab 12 Department of Computer Science and Information Engineering National Taiwan University Lab12 – Driver 2014/12/16 1 /21.
Class Presentation Pete Bohman, Adam Kunk, Erik Shaw (ONL)
1 CSC103: Introduction to Computer and Programming Lecture No 16.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
Kernel Structure and Infrastructure David Ferry, Chris Gill CSE 522S - Advanced Operating Systems Washington University in St. Louis St. Louis, MO
National Diploma Unit 4 Introduction to Software Development Procedures and Functions.
Kernel Modules – Introduction CSC/ECE 573, Sections 001 Fall, 2012.
Free Transactions with Rio Vista Landon Cox April 15, 2016.
Free Transactions with Rio Vista
Jonathan Walpole Computer Science Portland State University
SQL and SQL*Plus Interaction
CSCI 52– Introduction to SQL Fall 2016
Linking & Loading.
CS-3013 Operating Systems C-term 2008
CH5 TCP Client - Server Example:
Chapter 20: Binary Trees.
Chapter 21: Binary Trees.
Memory Protection: Kernel and User Address Spaces
Light-weight Contexts: An OS Abstraction for Safety and Performance
Dynamic Memory A whole heap of fun….
Review and Q/A.
Discussions on HW2 Objectives
Free Transactions with Rio Vista
Kernel Structure and Infrastructure
CS 6560 Operating System Design
Operation System Program 1
Linking & Loading CS-502 Operating Systems
Operating Systems Lecture 3.
Modern PC operating systems
CS 6560 Operating System Design Kernel Loadable Modules
Discussions on HW2 Objectives
Computer System Laboratory
Architectural Support for OS
Grauer and Barber Series Microsoft Access Chapter One
Some Assembly (Part 2) set.html.
Linked List Functions.
Linking & Loading CS-502 Operating Systems
Week 5 Computers are like Old Testament gods; lots of rules and no mercy. Joseph Campbell.
Presentation transcript:

Guardian Kernel Module Sarah Diesburg & Louis Brooks

Introduction Previous Work – St. Michael Design Philosophy What we monitor –System Call Mappings –System Call Integrity –Module Hiding (cloaking) –Modifications to running modules

St. Michael Made for the 2.2 and 2.4 series of kernels. Not maintained now. Main purpose was to protect itself, the kernel, and the system call table from unauthorized modification. Could even reload the running kernel from a restore point if kernel compromised.

St. Michael (cont.) The functionalities of St. Michael include: –Monitoring pointers to system calls for any changes. –The ability to cloak itself from the running kernel and commands like lsmod. –Monitoring the loading and unloading of modules to make sure other modules do not cloak themselves.

Kernel’s System Call Table system call #0 system call #1 system call #2 system call #3 system call #n System Call Table

System Call Mappings Initialization –We make a copy of the system call table Timer –Twice every second, we compare the kernel’s system call table of pointers with our own. –If there are discrepancies, we replace the kernel’s system call table with our own.

System Call Integrity Initialization –We take and store md5 sums of kernel’s system calls. Timer –Twice every second we take new md5 sums of the kernel’s system calls and compare them with our own. –If there is a discrepancy, we point the kernel to a null system call until reboot.

How modules are loaded into the 2.6 Kernel insmod calls module_init –passes information regarding module to load module_init –calls module_load uses copy_from_user to pull module into kernel space creates the new module and returns a pointer to module for use by module_init

Kernel Module List list_head Module

Module Monitoring Done in three phases –Module List Created at GKM init –Module init/delete Wrapper functions for module_init & module_delete Changes to module loading from 2.4 to 2.6 –removed syscalls module_create and module_query –no pointer to new module available Access kernel module list through pointer to THIS_MODULE when GKM is initialized –Timer Check kernel module list and MD5 sums against GKM’s internal list created at init

Module Monitoring (cont.) gkm_syscall_init_module –Calls Kernel’s original module_init syscall returns 0 on success –Calls gkm_add_mod_list checks for cloaked modules creates md5 sums adds module to GKM module list

Module Monitoring (cont.) gkm_syscall_delete_module –Checks if GKM is module to be unloaded returns –EBUSY if true –Calls Kernel’s original module_delete syscall returns 0 on success –Calls gkm_delete_mod_list delete module form list

Starting GKM Jun 15 15:37:18 localhost kernel: GKM: Initializing Guardian Kernel Module Jun 15 15:37:18 localhost kernel: GKM: Guardian Kernel Module Loaded

System Call Replacement Test Jun 15 15:38:19 localhost kernel: GKM: module system_call_replacement detected and loaded. Jun 15 15:38:19 localhost kernel: GKM: Found inconsistency in system call table! Jun 15 15:38:19 localhost kernel: GKM: System call mapping restored.

System Call Overwrite Test Jun 15 15:49:42 localhost kernel: About to overwrite chdir at address c Jun 15 15:49:42 localhost kernel: GKM: module system_call_overwrite detected and loaded. Jun 15 15:49:42 localhost kernel: GKM: System call number 12 has been compromised! Jun 15 15:49:42 localhost kernel: GKM: Please look in unistd.h for the corresponding system call. Jun 15 15:49:42 localhost kernel: GKM: System call number 12 has been replaced with a null system call. Jun 15 15:49:42 localhost kernel: GKM: Please take appropriate action and reboot soon.

Module Cloaking Test Jun 15 16:03:12 localhost kernel: I'm still here... Jun 15 16:03:12 localhost kernel: GKM: Cloaked module inserted into system! Jun 15 16:03:12 localhost kernel: GKM: Please take appropriate action and reboot soon.

Module Overwrite Test Jun 15 16:03:33 localhost kernel: GKM: module module_overwrite detected and loaded. Jun 15 16:03:33 localhost kernel: GKM: Bad exit checksum for hello Jun 15 16:03:33 localhost kernel: GKM: Please take appropriate action and reboot soon.

Conclusion What’s next? –Sourceforge or Freshmeat Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.