1 The Guardian Kernel Module Sarah Diesburg, Louis Brooks June 5, 2006.

Slides:



Advertisements
Similar presentations
A new device driver for a video frame grabber Binh Tran – Lucie Ngnepieba Term Project – Kernel Device – Summer 2006.
Advertisements

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Operating System Security : David Phillips A Study of Windows Rootkits.
Booting the Linux Kernel Dr. Michael L. Collard 1.
Operating-System Structures
1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October
Guardian Kernel Module Sarah Diesburg & Louis Brooks.
Rootkits.
1 UNIX Postmortem Mark Henman. 2 Introduction For most system administrators, there is no question that at some point at least one of their systems is.
電腦攻擊與防禦 The Attack and Defense of Computers Dr. 許 富 皓.
AN INTRODUCTION TO LINUX OPERATING SYSTEM Zihui Han.
Efficient Protection of Kernel Data Structures via Object Partitioning Abhinav Srivastava, Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012.
IOS & Android Security, Hacking and Tweaking Workshop D.Papamartzivanos University Of the Aegean – Info Sec Lab Android Security – Cydia Substrate Dimitris.
Incident Response Updated 03/20/2015
An Introduction to Device Drivers Sarah Diesburg COP 5641 / CIS 4930.
Problem Solving and Diagnostic Skills Software Maintenance.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
Microsoft ® Official Course Module 13 Troubleshooting and Recovering Windows 8.
Computer Maintenance Unit Subtitle: Basic Input/Output System (BIOS) Excerpted from 1 Copyright © Texas Education Agency, All.
Matt Weir. Our Original Goal To create a data logging system across the kernel with accurate timing that will monitor data as it moves up and down the.
Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.
CIS 450 – Network Security Chapter 15 – Preserving Access.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Chapter 2: Operating-System Structures. 2.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 2: Operating-System Structures Operating.
Cosc 4740 Chapter 6, Part 3 Process Synchronization.
Kernel Modules Giving your Linux more pop since 1995.
Maryland Information Systems Security Lab Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor Nick L. Petroni, Jr. Timothy.
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.
Sogang University Advanced Operating Systems (Linux Module Programming) Sang Gue Oh, Ph.D.
Mathieu Castets October 17th,  What is a rootkit?  History  Uses  Types  Detection  Removal  References 2/11.
Rootkits. Agenda Introduction Definition of a Rootkit Types of rootkits Existing Methodologies to Detect Rootkits Lrk4 Knark Conclusion.
CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.
Ch11: Syslog and Logfiles Presented by: Apichana Thiantanawat 06/11/02.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
Basic Input/Output System
Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.
Spam Mail FilterJeff Rupp & Frank Watson1 Implement Spam Mail Filtration inside Linux kernel Jeff Rupp and Frank Watson.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Covering the Tracks on Mac OS X Charlie Scott November 2010 GIAC GSEC Gold, GCIH.
PC Maintenance: Preparing for A+ Certification Chapter 28: Working with Applications.
CSC414 “Introduction to UNIX/ Linux” Lecture 2. Schedule 1. Introduction to Unix/ Linux 2. Kernel Structure and Device Drivers. 3. System and Storage.
Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :
PIKA Technologies Warp Upgrade procedure for 2.2.x Alain Gauthier
Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw (ONL)
Class Presentation Pete Bohman, Adam Kunk, Erik Shaw (ONL)
CSE 451: Operating Systems Winter 2015 Module 25 Virtual Machine Monitors Mark Zbikowski Allen Center 476 © 2013 Gribble, Lazowska,
VMM Based Rootkit Detection on Android
Computer Maintenance I
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
IDS And Tripwire Rayhan Mir COSC 356. What is IDS IDS - Intrusion detection system Primary function – To monitor network or host resources to detect intrusions.
VIRUSES & ANTI- VIRU-SES. WHAT IS A COMPUTER VIRUS? A computer virus is a small software program that spreads from one computer to another computer and.
Some Great Open Source Intrusion Detection Systems (IDSs)
Securing Network Servers
I have edited and added material.
Computer Maintenance Unit Subtitle: Basic Input/Output System (BIOS)
Chapter 2: System Structures
CS-3013 Operating Systems C-term 2008
Rootkit A rootkit is a set of tools which take the ability to access a computer or computer network at administrator level. Generally, hackers install.
Backtracking Intrusions
LINUX SECURITY Dongmei Wu ID: /25/00.
Chapter 2: The Linux System Part 2
I have edited and added material.
SECURITY IN THE LINUX OPERATING SYSTEM
CS 6560 Operating System Design
Hiding Malware Rootkits
Linking & Loading CS-502 Operating Systems
Chapter 2: Operating-System Structures
CS 6560 Operating System Design Kernel Loadable Modules
Linking & Loading CS-502 Operating Systems
Chapter 2: Operating-System Structures
Presentation transcript:

1 The Guardian Kernel Module Sarah Diesburg, Louis Brooks June 5, 2006

2 Introduction St. Michael Linux Kernel Module St. Michael Linux Kernel Module –Overview –Functionality –Upgrade Issues Our Kernel Module (The Guardian) Our Kernel Module (The Guardian) –Functionalities we will implement Screen shots of St. Michael in action Screen shots of St. Michael in action

3 St. Michael Kernel Module Made for the 2.2 and 2.4 series of kernels. Made for the 2.2 and 2.4 series of kernels. Not maintained now. Not maintained now. Main purpose was to protect itself, the kernel, and the system call table from unauthorized modification. Main purpose was to protect itself, the kernel, and the system call table from unauthorized modification. Could even reload the running kernel from a restore point if kernel compromised. Could even reload the running kernel from a restore point if kernel compromised.

4 St. Michael Functionalities The functionalities of St. Michael include: The functionalities of St. Michael include: –Monitoring pointers to system calls for any changes. –The ability to cloak itself from the running kernel and commands like lsmod. –Monitoring the loading and unloading of modules to make sure other modules do not cloak themselves.

5 St. Michael Functionalities (cont.) Extensive md5 summing of critical functionalities such as: Extensive md5 summing of critical functionalities such as: –/sbin/init and /proc/ksyms –System calls –Loaded modules –Kernel text –St. Michael’s own functions

6 St. Michael Functionalities (cont.) Setting and enforcing the immutable flag on important files. Setting and enforcing the immutable flag on important files. Ability to reboot the system after compromise. Ability to reboot the system after compromise. Ability to reload the running kernel or system call mappings. Ability to reload the running kernel or system call mappings. Limiting write access to device /dev/kmem. Limiting write access to device /dev/kmem.

7 St. Michael Upgrade Issues The sys_call_table symbol is not exported in the 2.6 kernels. The sys_call_table symbol is not exported in the 2.6 kernels. –We have two choices to work around this. System calls have changed since the 2.2. and 2.4 kernels. System calls have changed since the 2.2. and 2.4 kernels. Module initializations may have changed since the 2.2 and 2.4 kernels. Module initializations may have changed since the 2.2 and 2.4 kernels.

8 St. Michael Upgrade Issues (cont.) There is no /proc/ksyms in the 2.6 kernel. There is no /proc/ksyms in the 2.6 kernel. –/proc/kallsyms might be a suitable replacement. We need to use newer spinlocks. We need to use newer spinlocks. –St. Michael used the “big kernel lock” St. Michael code is too long and complicated to fully upgrade. St. Michael code is too long and complicated to fully upgrade. –We will implement a subset of its functionality. –Rewrite of module is in order.

9 Our Kernel Module (The Guardian) Our subset of functionalities will include: Our subset of functionalities will include: –Monitoring loading and unloading of modules Wrappers around the load and unload system calls Wrappers around the load and unload system calls –Monitoring system call mappings On system boot we will keep a local version of correct system call mapping and periodically check kernel’s version with a kernel timer. On system boot we will keep a local version of correct system call mapping and periodically check kernel’s version with a kernel timer.

10 Our Kernel Module (The Guardian) –Monitor Integrity through md5 summing Guardian (our module) Guardian (our module) System calls System calls Modules Modules Kernel Kernel –Logging Guardian activities Guardian activities –Ability to hide the guardian kernel module –No way to unload guardian without system reboot

11 St. Michael syslog excerpts Testing attack against St. Michael itself… Testing attack against St. Michael itself… Jun 3 14:20:48 hades kernel: --=={Loading StMichael 0.11 Jun 3 14:20:48 hades kernel: --=={StMichael 0.11 Successfully Loaded Jun 3 14:25:35 hades kernel: About to attack StMichael itself.... Jun 3 14:25:35 hades kernel: StMichael May Halt the System or Do other Nasty Stuff... Jun 3 14:25:35 hades kernel: Replacing Code at d4863c00. Jun 3 14:25:35 hades kernel: 0(STMICHAEL):Catastrophic LKM Rootkit Activity Detected. Kernel directly Modified. Jun 3 14:25:35 hades kernel: 0(STMICHAEL):The Kernel has been Reloaded. Jun 3 14:36:16 hades syslogd 1.4.1#10: restart.

12 St. Michael syslog excerpts (cont.) Attempting to replace a system call… Attempting to replace a system call… Jun 3 14:38:40 hades kernel: --=={Loading StMichael 0.11 Jun 3 14:38:40 hades kernel: --=={StMichael 0.11 Successfully Loaded Jun 3 14:39:19 hades kernel: About to try replacing a systemcall... Jun 3 14:39:19 hades kernel: 0(STMICHAEL):Kernel Structures Modified. Attempting to Restore.

13 St. Michael syslog excerpts (cont.) Attempting to replace the kernel’s delete module function… Attempting to replace the kernel’s delete module function… Jun 3 14:41:45 hades kernel: About to Trash the Kernel's Delete Module.. Jun 3 14:41:45 hades kernel: If StMichael isn't in here, prepare for a panic. Jun 3 14:41:45 hades kernel: Replacing Code at c012845c. Jun 3 14:41:45 hades kernel: 0(STMICHAEL):Catastrophic LKM Rootkit Activity Detected. Kernel directly Modified. Jun 3 14:41:45 hades kernel: 0(STMICHAEL):The Kernel has been Reloaded. Jun 3 14:57:16 hades syslogd 1.4.1#10: restart.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.