Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guardian Kernel Module Sarah Diesburg & Louis Brooks.

Published byBennett Strickland Modified over 9 years ago

Similar presentations

Presentation on theme: "Guardian Kernel Module Sarah Diesburg & Louis Brooks."— Presentation transcript:

1 Guardian Kernel Module Sarah Diesburg & Louis Brooks

2 Introduction Previous Work – St. Michael Design Philosophy What we monitor –System Call Mappings –System Call Integrity –Module Hiding (cloaking) –Modifications to running modules

3 St. Michael Made for the 2.2 and 2.4 series of kernels. Not maintained now. Main purpose was to protect itself, the kernel, and the system call table from unauthorized modification. Could even reload the running kernel from a restore point if kernel compromised.

4 St. Michael (cont.) The functionalities of St. Michael include: –Monitoring pointers to system calls for any changes. –The ability to cloak itself from the running kernel and commands like lsmod. –Monitoring the loading and unloading of modules to make sure other modules do not cloak themselves.

5 Kernel’s System Call Table system call #0 system call #1 system call #2 system call #3 system call #n System Call Table

6 System Call Mappings Initialization –We make a copy of the system call table Timer –Twice every second, we compare the kernel’s system call table of pointers with our own. –If there are discrepancies, we replace the kernel’s system call table with our own.

7 System Call Integrity Initialization –We take and store md5 sums of kernel’s system calls. Timer –Twice every second we take new md5 sums of the kernel’s system calls and compare them with our own. –If there is a discrepancy, we point the kernel to a null system call until reboot.

8 How modules are loaded into the 2.6 Kernel insmod calls module_init –passes information regarding module to load module_init –calls module_load uses copy_from_user to pull module into kernel space creates the new module and returns a pointer to module for use by module_init

9 Kernel Module List list_head Module

10 Module Monitoring Done in three phases –Module List Created at GKM init –Module init/delete Wrapper functions for module_init & module_delete Changes to module loading from 2.4 to 2.6 –removed syscalls module_create and module_query –no pointer to new module available Access kernel module list through pointer to THIS_MODULE when GKM is initialized –Timer Check kernel module list and MD5 sums against GKM’s internal list created at init

11 Module Monitoring (cont.) gkm_syscall_init_module –Calls Kernel’s original module_init syscall returns 0 on success –Calls gkm_add_mod_list checks for cloaked modules creates md5 sums adds module to GKM module list

12 Module Monitoring (cont.) gkm_syscall_delete_module –Checks if GKM is module to be unloaded returns –EBUSY if true –Calls Kernel’s original module_delete syscall returns 0 on success –Calls gkm_delete_mod_list delete module form list

13 Starting GKM Jun 15 15:37:18 localhost kernel: GKM: Initializing Guardian Kernel Module Jun 15 15:37:18 localhost kernel: GKM: Guardian Kernel Module Loaded

14 System Call Replacement Test Jun 15 15:38:19 localhost kernel: GKM: module system_call_replacement detected and loaded. Jun 15 15:38:19 localhost kernel: GKM: Found inconsistency in system call table! Jun 15 15:38:19 localhost kernel: GKM: System call mapping restored.

15 System Call Overwrite Test Jun 15 15:49:42 localhost kernel: About to overwrite chdir at address c0159050 Jun 15 15:49:42 localhost kernel: GKM: module system_call_overwrite detected and loaded. Jun 15 15:49:42 localhost kernel: GKM: System call number 12 has been compromised! Jun 15 15:49:42 localhost kernel: GKM: Please look in unistd.h for the corresponding system call. Jun 15 15:49:42 localhost kernel: GKM: System call number 12 has been replaced with a null system call. Jun 15 15:49:42 localhost kernel: GKM: Please take appropriate action and reboot soon.

16 Module Cloaking Test Jun 15 16:03:12 localhost kernel: I'm still here... Jun 15 16:03:12 localhost kernel: GKM: Cloaked module inserted into system! Jun 15 16:03:12 localhost kernel: GKM: Please take appropriate action and reboot soon.

17 Module Overwrite Test Jun 15 16:03:33 localhost kernel: GKM: module module_overwrite detected and loaded. Jun 15 16:03:33 localhost kernel: GKM: Bad exit checksum for hello Jun 15 16:03:33 localhost kernel: GKM: Please take appropriate action and reboot soon.

18 Conclusion What’s next? –Sourceforge or Freshmeat Questions?

Download ppt "Guardian Kernel Module Sarah Diesburg & Louis Brooks."

Similar presentations

Computer System Laboratory

Computer System Laboratory
Lectures on File Management

Lectures on File Management
Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.
Module R2 CS450. Next Week R1 is due next Friday ▫Bring manuals in a binder - make sure to have a cover page with group number, module, and date. You.

Module R2 CS450. Next Week R1 is due next Friday ▫Bring manuals in a binder - make sure to have a cover page with group number, module, and date. You.
A new device driver for a video frame grabber Binh Tran – Lucie Ngnepieba Term Project – Kernel Device – Summer 2006.

A new device driver for a video frame grabber Binh Tran – Lucie Ngnepieba Term Project – Kernel Device – Summer 2006.
CPIT 102 CPIT 102 CHAPTER 1 COLLABORATING on DOCUMENTS.

CPIT 102 CPIT 102 CHAPTER 1 COLLABORATING on DOCUMENTS.
Linking & Loading CS-502 Operating Systems

Linking & Loading CS-502 Operating Systems
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
Threats to privacy in the forensic analysis of database systems Patrick Stahlberg, Gerome Miklau, and Brian Neil Levine Department of Computer Science.

Threats to privacy in the forensic analysis of database systems Patrick Stahlberg, Gerome Miklau, and Brian Neil Levine Department of Computer Science.
Data Structures: A Pseudocode Approach with C

Data Structures: A Pseudocode Approach with C
Homework 6 Sarah Diesburg Operating Systems CS 3430.

Homework 6 Sarah Diesburg Operating Systems CS 3430.
Hashing21 Hashing II: The leftovers. hashing22 Hash functions Choice of hash function can be important factor in reducing the likelihood of collisions.

Hashing21 Hashing II: The leftovers. hashing22 Hash functions Choice of hash function can be important factor in reducing the likelihood of collisions.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October 23 2003.

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October
A Guide to SQL, Seventh Edition. Objectives Create a new table from an existing table Change data using the UPDATE command Add new data using the INSERT.

A Guide to SQL, Seventh Edition. Objectives Create a new table from an existing table Change data using the UPDATE command Add new data using the INSERT.
C++ Programming: Program Design Including Data Structures, Third Edition Chapter 17: Linked Lists.

C++ Programming: Program Design Including Data Structures, Third Edition Chapter 17: Linked Lists.
CS 333 Introduction to Operating Systems Class 18 - File System Performance Jonathan Walpole Computer Science Portland State University.

CS 333 Introduction to Operating Systems Class 18 - File System Performance Jonathan Walpole Computer Science Portland State University.
Run time vs. Compile time

Run time vs. Compile time
System-level Virtualization for HPC: Recent work on Loadable Hypervisor Modules Systems Research Team Computer Science and Mathematics Division Oak Ridge.

System-level Virtualization for HPC: Recent work on Loadable Hypervisor Modules Systems Research Team Computer Science and Mathematics Division Oak Ridge.
Orchestra: Intrusion Detection Using Parallel Execution and Monitoring of Program Variants in User-Space Babak Salamat, Todd Jackson, Andreas Gal, Michael.

Orchestra: Intrusion Detection Using Parallel Execution and Monitoring of Program Variants in User-Space Babak Salamat, Todd Jackson, Andreas Gal, Michael.

Similar presentations

Ads by Google