Black Hat Briefings Amsterdam October 25th, 2000 Getting rooted and never knowing it The importance of kernel integrity Job de Haas

Black Hat Briefings Amsterdam October 24th, 2000 Overview The issue Detection How to avoid it? Introducing kmod. What can be done about it?

Black Hat Briefings Amsterdam October 24th, 2000 The issue root is almighty lots of opportunities to hack root root can change the kernel the kernel is critical to detect abuse  A kernel attack can be very effective.

Black Hat Briefings Amsterdam October 24th, 2000 Some arguments When you get rooted you have lost anyway  but why do we make it so easy? It is so sophisticated that the risk is very low  kernel hacking falls in the scriptable class My OS is closed source so it won't be feasible  who are you kidding? All solutions result in unworkable situations  So lets do better!

Black Hat Briefings Amsterdam October 24th, 2000 Detection Host-based Intrusion detection Network-based Intrusion detection Misuse detection Anomaly detection System health monitoring

Black Hat Briefings Amsterdam October 24th, 2000 Detection Audit trails System monitoring Integrity checking Network protocol sniffing and reconstruction

Black Hat Briefings Amsterdam October 24th, 2000 What to hide from? Black Hat: repeatedly use a system without detection White Hat: hide or protect detection measures. Tripwire (and other host based IDS) Process accounting Auditing trail software ‘netstat’, ‘lsof’, ‘ps’ etc.

Black Hat Briefings Amsterdam October 24th, 2000 What to hide? Use your imagination: anything the kernel does or shows can be changed: –Processes –Backdoors: changed programs –Files –System logging –Network connections or interface state –File modification times –Loadable modules –…

Black Hat Briefings Amsterdam October 24th, 2000 How to fool tripwire Tripwire calculates signatures of –File content –File properties (timestamps, owner) –Directory properties (number of files in it) The (modified) kernel should preserve these properties. –execve() opens different file than open() does –stat() returns original values

Black Hat Briefings Amsterdam October 24th, 2000 What is a Kernel? The Operating System ‘program’ –Offers services to ‘userland’ Creates and maintains processes Separation of privileges and memory Access to devices … –Extensible: network protocols, filesystems –No internal privilege levels –…

Black Hat Briefings Amsterdam October 24th, 2000 What is a Kernel? - 2 ‘Userland’ can – inquire about kernel state – change kernel state – For example: state of network devices Through: –System calls –/dev devices (e.g. /dev/kmem) –/proc filesystem

Black Hat Briefings Amsterdam October 24th, 2000 How to modify a kernel? Loadable kernel modules Write-able kernel memory –Write directly in /dev/(k)mem The kernel executable –Build a new kernel

Black Hat Briefings Amsterdam October 24th, 2000 Loadable modules Modularization of the kernel –Only use resources when needed –Generally works well for any design Mechanism: –Compiled code is resolved against kernel symbols –Memory is allocated –Code is copied in and an initialization function is called

Black Hat Briefings Amsterdam October 24th, 2000 Introducing kmod Goal: –Demonstrate effect of kernel modifications –Targeted at Solaris –‘Easy’ to use. –Use several ways to manipulate kernel –Open Source

Black Hat Briefings Amsterdam October 24th, 2000 Details: How to proceed? Think about how to fool programs. Use the Kernel internal stuctures: –Switch tables –Linked lists –Global variables

Black Hat Briefings Amsterdam October 24th, 2000 Kernel switch tables. Changing function pointers Kernel uses ‘switch tables’ for extensibility. Overwrite function pointer: –old_execve = sys_call_table[SYS_execve] –sys_call_table[SYS_execve]=new_execve

Black Hat Briefings Amsterdam October 24th, 2000 Kernel linked lists. Used for dynamically adding entries Hide:

Black Hat Briefings Amsterdam October 24th, 2000 Where to start? Decide where to intercept –Hide processes: Memory device (/dev/(k)mem Filesystem switch table (/proc) –Hide backdoors: Execve -> syscall table –Hide files: Filesystem switch table (ufs_getattr())

Black Hat Briefings Amsterdam October 24th, 2000 Example: execve() Has an entry in the syscall table: /usr/include/sys/syscall.h: #define SYS_execve 59 Looks like: /usr/include/sys/exec.h: struct execa { char *fname; char **argp; char **envp; }; extern int exece(struct execa *, rval_t *);

Black Hat Briefings Amsterdam October 24th, 2000 Example: execve() 2 Modify behavior: –Safe pointer to original exece() –Replace it with pointer to our new_exece() –Do our work and call old_exece() Advantages: –No detailed knowledge needed about original exece() –Not very dependent on kernel patches that might change the original exece()

Black Hat Briefings Amsterdam October 24th, 2000 Example: execve() 3 We want to change: –Test if we call a backdoor executable –If not do nothing and call old_exece –If so redirect the call to our backdoor-ed version by supplying a new fname –Make sure it is not visible from userland that a different executable has been called

Black Hat Briefings Amsterdam October 24th, 2000 Example: execve() 4 We need to test the pathname only: int new_exece(struct execa *eap, rval_t *rp) { if (backd_head && !ishid(p)) { if (error = lookupname(eap->fname, UIO_USERSPACE, FOLLOW, NULLVPP, &vp)) return (error); backdp = backd_head; while (!VN_CMP(backdp->vp, vp) && ((backdp = backdp->bd_nxt) != NULL)); if (backdp) { kmod_log(KMOD_CE_DEBUG3, "exec matched, redir to %s\n", backdp->bdfname);

Black Hat Briefings Amsterdam October 24th, 2000 Example execve() 5 lookupname(backdp->bdfname, UIO_SYSSPACE, FOLLOW, NULLVPP,&vnp); size = strlen(backdp->bdfname) + 1; cp = regsp->r_sp - size; error = copyout(backdp->bdfname, (caddr_t) cp, size); eap->fname = (char *) cp; return(old_exece(eap, rp)); }

Black Hat Briefings Amsterdam October 24th, 2000 Example: execve() 6 Result if we have an entry with backdp->bdfname = “/bin/login” : –execve(“/bin/login”, a,e) will really do execve(“/bin/mylogin”,a,e) but –open(“/bin/login”) will still do open(“/bin/login”)

Black Hat Briefings Amsterdam October 24th, 2000 System calls Some system calls that were changed: forkfork1 killsigqueue execexece

Black Hat Briefings Amsterdam October 24th, 2000 Filesystem routines ufs_readdirufs_lookup ufs_createufs_remove ufs_renameufs_setattr ufs_getattr pr_readdirpr_lookup spec_ioctl

Black Hat Briefings Amsterdam October 24th, 2000 Miscellaneous For /dev/kmem: –mmread For netstat: –tcp_wput –strrput

Black Hat Briefings Amsterdam October 24th, 2000 Other features /proc or /dev/kmem hides a process which has a ‘hidden flag’. fork() will hide a child of a hidden process. Signals to hidden processes fail. Information on network objects hidden from ‘netstat’

Black Hat Briefings Amsterdam October 24th, 2000 Other features Files and directories with a special prefix are hidden. stat() will show ‘correct’ number of files in directory (nlink) Reboot proof

Black Hat Briefings Amsterdam October 24th, 2000 Reboot proof mechanism Rename an existing kernel module: /kernel/strmod/connld  /kernel/misc/ Place rogue module at that spot. Redirect all UFS routines for /kernel/strmod/connld to /kernel/strmod/ Have the rogue module load /kernel/strmod/ and hide itself

Black Hat Briefings Amsterdam October 24th, 2000 Demonstration Following steps: –Hack root remote –Install kmod kit –Install backdoor –Run tripwire –Inspect system with other tools: ps, lsof –Reboot –Check again

Black Hat Briefings Amsterdam October 24th, 2000 Advanced No loadable module support? –Copy directly into kernel memory In-kernel network daemons -> hide network connections Modify executable code directly if possible Change network stack protocol behavior –Phrack 55:September 9, 1999 –

Black Hat Briefings Amsterdam October 24th, 2000 Advanced 2 Snoop ttys through loadable modules Install and hide ipfilter and redirect traffic based on some token to a local backdoor.

Black Hat Briefings Amsterdam October 24th, 2000 What can be done about it? Securelevel protection. Reduce root: Fine grained privileges. Userland kernel integrity checker –Easily fooled In-kernel kernel integrity checker –Chicken and egg problem –IPD

Black Hat Briefings Amsterdam October 24th, 2000 Securelevels Protection mechanism Prevents all users including root from modifying kernel memory directly Found in *BSD and Linux Not found on most commercial Unices Depends on the value of 2 bits in the kernel

Black Hat Briefings Amsterdam October 24th, 2000 Fine grained privileges Examples: –Capabilities: ftp://linux.kernel.org/pub/linux/libs/security/linux-privs/index.html –Mandatory Access Control (MAC) ftp://ftp.tislabs.com/pub/lomac/ –Trusted Solaris –PitBull from Argus Systems

Black Hat Briefings Amsterdam October 24th, 2000 FreeBSD: Jail Developed by Poul-Henning Kamp for FreeBSD 4.0 Beefed up chroot() Acts a bit like a MAC system with one label: jail  simplification More info:

Black Hat Briefings Amsterdam October 24th, 2000 Windows? Same problems Internals less understood (yet) Open Source project: –

Black Hat Briefings Amsterdam October 24th, 2000 Acknowledgement Gene Kim, Tripwire for supplying the demonstration copy.

Black Hat Briefings Amsterdam October 24th, 2000 References Phrack 50-55, THC UNIX Internals by Valhalia Design and Implementation of the 4.4BSD Operating System