Kenfe-Mickaël Laventure Laurent Malvert Macquarie University LEMONA Linux Enhanced Monitoring Architecture Linux zest for security

Lemona – Linux Enhanced Monitoring Architecture Laventure / Malvert Outline Lemona –Project –Overview –Architecture –Workflow –Code Review Macros Structures Mixers Blades –Build –Load / Unload References

Lemona – Linux Enhanced Monitoring Architecture Laventure / Malvert Lemona > Project Open Architecture –Open Protocols –Open Source Implementation Decentralized –Local Tracing Components –Remote Monitoring Components Prevention, Detection, Forensics, Recovery –Possible…?

Lemona – Linux Enhanced Monitoring Architecture Laventure / Malvert Lemona > Overview Exhaustiveness –Kernel Land Tracer  100% User Land Coverage Integrity –Harder to bypass  Would require Kernel Level code –Integrity Checks Flexible –Variable Granularity Levels –Selectable Hooks

Lemona – Linux Enhanced Monitoring Architecture Laventure / Malvert Lemona > Architecture User Application SysCallEntryExecutionReturn Memory Mapped File Open Read/Write Page Fault Close Inside Attackers Outside Attackers Target Storage Point Forensics Tools Lemona traces transmission Architecture > ^ Workflow / Hooks

Lemona – Linux Enhanced Monitoring Architecture Laventure / Malvert Lemona > Workflow

Lemona – Linux Enhanced Monitoring Architecture Laventure / Malvert Lemona > Code Review Lemona –Statically compiled; or –Loaded as a Linux Kernel Module Mixers –Definitions of structures and function pointers –to record system call activity Blades –Predefined functions to process system calls’ parameters Zests –Custom structures to transfer and store records

Lemona – Linux Enhanced Monitoring Architecture Laventure / Malvert Lemona > Macros extern atomic_tlemona_activated; static lemonalogfn_lemona_log= NULL; # define lemona_block_start\ if (atomic_read(&lemona_activated) != 0)\ { # define lemona_log_in(sysnr, argnr, extnr,...)\ __lemona_log(sysnr, true, argnr, extnr, ## __VA_ARGS__) # define lemona_log_out(sysnr, argnr, extnr,...)\ __lemona_log(sysnr, false, argnr, extnr, ## __VA_ARGS__) # define lemona_block_end\ }\ else {\ _lemona_log = NULL;\ } #define __lemona_log(sysnr, in, argnr, extnr,...) {\ if (_lemona_log == NULL)\ _lemona_log = (lemonalogfn)kallsyms_lookup_name("lemona_log");\ _lemona_log(sysnr, in, argnr, extnr, ## __VA_ARGS__);\ }

Lemona – Linux Enhanced Monitoring Architecture Laventure / Malvert Lemona > Macros lemona_block_start { lemona_log_in(__NR_open, 3, 0, filename, &flags, &mode); } lemona_block_end; preprocessing (CPP) if (atomic_read(&lemona_activated) != 0) { if (_lemona_log == NULL) _lemona_log = (lemonalogfn)kallsyms_lookup_name("lemona_log"); _lemona_log(__NR_open, true, 3, 0, filename, &flags, &mode); } else { _lemona_log = NULL; }

Lemona – Linux Enhanced Monitoring Architecture Laventure / Malvert Lemona > Structures structlemona_zest { charmagic[4];/* magic number*/ intsize; /* size taken by this zest and args sz/value*/ intin;/* input or output ?*/ struct timespectime;/* call start/end time (getnstimeofday)*/ pid_tpid;/* actual pid*/ pid_t tgid;/* thread group id*/ uid_tuid,euid,fsuid; /* user identification numbers*/ gid_tgid,egid,fsgid; /* group identification numbers*/ intsysnr; /* syscall id*/ intargnr;/* number of args*/ int*argsz;/* ptr to an array of int giving each arg size*/ void*args;/* ptr to the first argument of the array*/ intextnr;/* extra value number*/ int*extsz;/* size of each extension*/ void*exts;/* extra values. located after the last arg*/ } __attribute__((packed));

Lemona – Linux Enhanced Monitoring Architecture Laventure / Malvert Lemona > Structures structlemona_mixer { intsysnr;/* system call number*/ struct __lemona_mixerin;/* call entrance mixer*/ struct __lemona_mixerout;/* call exit mixer*/ } struct__lemona_mixer { intargnr;/* number of syscall parameters*/ intextnr;/* number of extra parameters*/ struct __lemona_mixer_handlerhandlers[6];/* pre-defined handlers*/ }; struct__lemona_mixer_handler { booldual;/* is this a dual blade?*/ bladefnblade;/* number of extra parameters*/ }; typedef int(*bladefn)(struct lemona_zest*zest,/* zest to fill*/ intisExt,/* is an extra?*/ intidx,/* which arg/ext?*/ intoff,/* memory offset*/ void*fruit1, /* 1st data arg*/ void*fruit2);/* 2nd data arg*/

Lemona – Linux Enhanced Monitoring Architecture Laventure / Malvert Lemona > Mixers const struct lemona_mixerlemona_mixers[]= { /*... */ {.sysnr= __NR_open,.in= {.argnr= 3,.extnr= 0,.handlers= { {.dual= false,.blade = lemona_blade_string_null}, {.dual= false,.blade = lemona_blade_integer}, } },.out= {.argnr= 1,.extnr= 1,.handlers= { {.dual= false,.blade = lemona_blade_integer}, {.dual= false,.blade = lemona_blade_string_fd}, }, } }, /*... */ };

Lemona – Linux Enhanced Monitoring Architecture Laventure / Malvert Lemona > Blades (blades/generics.c)Generics intlemona_blade_integer(...); intlemona_blade_integer64(...); intlemona_blade_long(...); intlemona_blade_long_long(...); intlemona_blade_output_buffer(...); (blades/strings.c)Strings intlemona_blade_string_null(...); intlemona_blade_string_fd(...); (blades/iovec.c)Input/Output Vectors intlemona_blade_iovec(...);

Lemona – Linux Enhanced Monitoring Architecture Laventure / Malvert Lemona > Build $> cd $(PATH_TO_KERNEL_SRC) $> wget $> patch -p1 < patch $> make menuconfig $> make && makes modules_install && make install

Lemona – Linux Enhanced Monitoring Architecture Laventure / Malvert Lemona > Load / Unload $> cd $(PATH_TO_MODULES) $> sudo insmod./lemona.ko $> dmesg | tail -2 -==Lemona==- Initialization for kernel tree ==Lemona==- Done. $> sudo rmmod lemona $> dmesg | tail -2 -==Lemona==- Uninitializing... -==Lemona==- Done.

Lemona – Linux Enhanced Monitoring Architecture Laventure / Malvert Outline Security and Forensics –Forensics –Computer Security –Computer Forensics Related Work Lemona –Project –Overview –Architecture References

Lemona – Linux Enhanced Monitoring Architecture Laventure / Malvert References [home] [blog] [wiki] [SCM] [group]