Presentation is loading. Please wait.

Presentation is loading. Please wait.

Black Hat Briefings Las Vegas July 25th, 2000 Getting rooted and never knowing it The importance of kernel integrity Job de Haas.

Published byOwen Matthews Modified over 9 years ago

Similar presentations

Presentation on theme: "Black Hat Briefings Las Vegas July 25th, 2000 Getting rooted and never knowing it The importance of kernel integrity Job de Haas."— Presentation transcript:

1 Black Hat Briefings Las Vegas July 25th, 2000 Getting rooted and never knowing it The importance of kernel integrity Job de Haas

2 Black Hat Briefings Las Vegas July 25th, 2000 Overview The issue Detection How to avoid it? Introducing kmod. What can be done about it?

3 Black Hat Briefings Las Vegas July 25th, 2000 The issue root is almighty lots of opportunities to hack root root can change the kernel the kernel is critical to detect abuse  A kernel attack can be very effective.

4 Black Hat Briefings Las Vegas July 25th, 2000 Some arguments When you get rooted you have lost anyway  but why do we make it so easy? It is so sophisticated that the risk is very low  kernel hacking falls in the scriptable class My OS is closed source so it won't be feasible  who are you kidding? All solutions result in unworkable situations  So lets do better!

5 Black Hat Briefings Las Vegas July 25th, 2000 Detection Host-based Intrusion detection Network-based Intrusion detection Misuse detection Anomaly detection System health monitoring

6 Black Hat Briefings Las Vegas July 25th, 2000 Detection Audit trails System monitoring Integrity checking Network protocol sniffing and reconstruction

7 Black Hat Briefings Las Vegas July 25th, 2000 What to hide from? Black Hat: repeatedly use a system without detection White Hat: hide or protect detection measures. Tripwire (and other host based IDS) Process accounting Auditing trail software ‘netstat’, ‘lsof’, ‘ps’ etc.

8 Black Hat Briefings Las Vegas July 25th, 2000 What to hide? Use your imagination: anything the kernel does or shows can be changed: –Processes –Backdoors: changed programs –Files –System logging –Network connections or interface state –File modification times –Loadable modules –…

9 Black Hat Briefings Las Vegas July 25th, 2000 How to fool tripwire Tripwire calculates signatures of –File content –File properties (timestamps, owner) –Directory properties (number of files in it) The (modified) kernel should preserve these properties. –execve() opens different file than open() does –stat() returns original values

10 Black Hat Briefings Las Vegas July 25th, 2000 What is a Kernel? The Operating System ‘program’ –Offers services to ‘userland’ Creates and maintains processes Separation of privileges and memory Access to devices … –Extensible: network protocols, filesystems –No internal privilege levels –…

11 Black Hat Briefings Las Vegas July 25th, 2000 What is a Kernel? - 2 ‘Userland’ can – inquire about kernel state – change kernel state – For example: state of network devices Through: –System calls –/dev devices (e.g. /dev/kmem) –/proc filesystem

12 Black Hat Briefings Las Vegas July 25th, 2000 How to modify a kernel? Loadable kernel modules Write-able kernel memory –Write directly in /dev/(k)mem The kernel executable –Build a new kernel

13 Black Hat Briefings Las Vegas July 25th, 2000 Loadable modules Modularization of the kernel –Only use resources when needed –Generally works well for any design Mechanism: –Compiled code is resolved against kernel symbols –Memory is allocated –Code is copied in and an initialization function is called

14 Black Hat Briefings Las Vegas July 25th, 2000 Introducing kmod Goal: –Demonstrate effect of kernel modifications –Targeted at Solaris –‘Easy’ to use. –Use several ways to manipulate kernel –Open Source

15 Black Hat Briefings Las Vegas July 25th, 2000 Details: How to proceed? Think about how to fool programs. Use the Kernel internal stuctures: –Switch tables –Linked lists –Global variables

16 Black Hat Briefings Las Vegas July 25th, 2000 Kernel switch tables. Changing function pointers Kernel uses ‘switch tables’ for extensibility. Overwrite function pointer: –old_execve = sys_call_table[SYS_execve] –sys_call_table[SYS_execve]=new_execve

17 Black Hat Briefings Las Vegas July 25th, 2000 Kernel linked lists. Used for dynamically adding entries Hide:

18 Black Hat Briefings Las Vegas July 25th, 2000 Where to start? Decide where to intercept –Hide processes: Memory device (/dev/(k)mem Filesystem switch table (/proc) –Hide backdoors: Execve -> syscall table –Hide files: Filesystem switch table (ufs_getattr())

19 Black Hat Briefings Las Vegas July 25th, 2000 Example: execve() Has an entry in the syscall table: /usr/include/sys/syscall.h: #define SYS_execve 59 Looks like: /usr/include/sys/exec.h: struct execa { char *fname; char **argp; char **envp; }; extern int exece(struct execa *, rval_t *);

20 Black Hat Briefings Las Vegas July 25th, 2000 Example: execve() 2 Modify behavior: –Safe pointer to original exece() –Replace it with pointer to our new_exece() –Do our work and call old_exece() Advantages: –No detailed knowledge needed about original exece() –Not very dependent on kernel patches that might change the original exece()

21 Black Hat Briefings Las Vegas July 25th, 2000 Example: execve() 3 We want to change: –Test if we call a backdoor executable –If not do nothing and call old_exece –If so redirect the call to our backdoor-ed version by supplying a new fname –Make sure it is not visible from userland that a different executable has been called

22 Black Hat Briefings Las Vegas July 25th, 2000 Example: execve() 4 We need to test the pathname only: int new_exece(struct execa *eap, rval_t *rp) { if (backd_head && !ishid(p)) { if (error = lookupname(eap->fname, UIO_USERSPACE, FOLLOW, NULLVPP, &vp)) return (error); backdp = backd_head; while (!VN_CMP(backdp->vp, vp) && ((backdp = backdp->bd_nxt) != NULL)); if (backdp) { kmod_log(KMOD_CE_DEBUG3, "exec matched, redir to %s\n", backdp->bdfname);

23 Black Hat Briefings Las Vegas July 25th, 2000 Example execve() 5 lookupname(backdp->bdfname, UIO_SYSSPACE, FOLLOW, NULLVPP,&vnp); size = strlen(backdp->bdfname) + 1; cp = regsp->r_sp - size; error = copyout(backdp->bdfname, (caddr_t) cp, size); eap->fname = (char *) cp; return(old_exece(eap, rp)); }

24 Black Hat Briefings Las Vegas July 25th, 2000 Example: execve() 6 Result if we have an entry with backdp->bdfname = “/bin/login” : –execve(“/bin/login”, a,e) will really do execve(“/bin/mylogin”,a,e) but –open(“/bin/login”) will still do open(“/bin/login”)

25 Black Hat Briefings Las Vegas July 25th, 2000 System calls Some system calls that were changed: forkfork1 killsigqueue execexece

26 Black Hat Briefings Las Vegas July 25th, 2000 Filesystem routines ufs_readdirufs_lookup ufs_createufs_remove ufs_renameufs_setattr ufs_getattr pr_readdirpr_lookup spec_ioctl

27 Black Hat Briefings Las Vegas July 25th, 2000 Miscellaneous For /dev/kmem: –mmread For netstat: –tcp_wput –strrput

28 Black Hat Briefings Las Vegas July 25th, 2000 Other features /proc or /dev/kmem hides a process which has a ‘hidden flag’. fork() will hide a child of a hidden process. Signals to hidden processes fail. Information on network objects hidden from ‘netstat’

29 Black Hat Briefings Las Vegas July 25th, 2000 Other features Files and directories with a special prefix are hidden. stat() will show ‘correct’ number of files in directory (nlink) Reboot proof

30 Black Hat Briefings Las Vegas July 25th, 2000 Reboot proof mechanism Rename an existing kernel module: /kernel/strmod/connld  /kernel/misc/ Place rogue module at that spot. Redirect all UFS routines for /kernel/strmod/connld to /kernel/strmod/ Have the rogue module load /kernel/strmod/ and hide itself

31 Black Hat Briefings Las Vegas July 25th, 2000 Demonstration Following steps: –Hack root remote –Install kmod kit –Install backdoor –Run tripwire –Inspect system with other tools: ps, lsof –Reboot –Check again

32 Black Hat Briefings Las Vegas July 25th, 2000 Advanced No loadable module support? –Copy directly into kernel memory In-kernel network daemons -> hide network connections Modify executable code directly if possible Change network stack protocol behavior –Phrack 55:September 9, 1999 –http://ww.phrack.com

33 Black Hat Briefings Las Vegas July 25th, 2000 Advanced 2 Snoop ttys through loadable modules Install and hide ipfilter and redirect traffic based on some token to a local backdoor.

34 Black Hat Briefings Las Vegas July 25th, 2000 What can be done about it? Securelevel protection. Reduce root: Fine grained privileges. Userland kernel integrity checker –Easily fooled In-kernel kernel integrity checker –Chicken and egg problem –IPD http://www.pedestalsoftware.com

35 Black Hat Briefings Las Vegas July 25th, 2000 Securelevels Protection mechanism Prevents all users including root from modifying kernel memory directly Found in *BSD and Linux Not found on most commercial Unices Depends on the value of 2 bits in the kernel

36 Black Hat Briefings Las Vegas July 25th, 2000 Fine grained privileges Examples: –Capabilities: ftp://linux.kernel.org/pub/linux/libs/security/linux-privs/index.html –Mandatory Access Control (MAC) ftp://ftp.tislabs.com/pub/lomac/ http://www.trustedbsd.org/downloads/ –Trusted Solaris –PitBull from Argus Systems

37 Black Hat Briefings Las Vegas July 25th, 2000 FreeBSD: Jail Developed by Poul-Henning Kamp for FreeBSD 4.0 Beefed up chroot() Acts a bit like a MAC system with one label: jail  simplification More info: http://www.nluug.nl/events/sane2000/papers/kamp.pdf

38 Black Hat Briefings Las Vegas July 25th, 2000 Windows? Same problems Internals less understood (yet) Open Source project: –http://www.rootkit.com

39 Black Hat Briefings Las Vegas July 25th, 2000 Acknowledgement Gene Kim, Tripwire for supplying the demonstration copy.

40 Black Hat Briefings Las Vegas July 25th, 2000 References Phrack 50-55, http://www.phrack.com THC http://thc.pimmel.org UNIX Internals by Valhalia Design and Implementation of the 4.4BSD Operating System http://docs.sun.com http://www.itsx.com/kmod.html

Download ppt "Black Hat Briefings Las Vegas July 25th, 2000 Getting rooted and never knowing it The importance of kernel integrity Job de Haas."

Similar presentations

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
A SECURE JAILING SYSTEM FOR CONFINING UNTRUSTED APPLICATIONS Guido Noordende, ´Ad´am Balogh, Rutger Hofman, Frances M. T. Brazier, and Andrew S. Tanenbaum.

A SECURE JAILING SYSTEM FOR CONFINING UNTRUSTED APPLICATIONS Guido Noordende, ´Ad´am Balogh, Rutger Hofman, Frances M. T. Brazier, and Andrew S. Tanenbaum.
Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.

Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.
1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October 23 2003.

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October
Windows Security and Rootkits Mike Willard January 2007.

Windows Security and Rootkits Mike Willard January 2007.
Chapter 2: Operating-System Structures

Chapter 2: Operating-System Structures
Process in Unix, Linux and Windows CS-3013 C-term 20081 Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.

Process in Unix, Linux and Windows CS-3013 C-term Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.
CS-502 Fall 2006Processes in Unix, Linux, & Windows 1 Processes in Unix, Linux, and Windows CS502 Operating Systems.

CS-502 Fall 2006Processes in Unix, Linux, & Windows 1 Processes in Unix, Linux, and Windows CS502 Operating Systems.
Unix & Windows Processes 1 CS502 Spring 2006 Unix/Windows Processes.

Unix & Windows Processes 1 CS502 Spring 2006 Unix/Windows Processes.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
Processes in Unix, Linux, and Windows CS-502 Fall 20071 Processes in Unix, Linux, and Windows CS502 Operating Systems (Slides include materials from Operating.

Processes in Unix, Linux, and Windows CS-502 Fall Processes in Unix, Linux, and Windows CS502 Operating Systems (Slides include materials from Operating.
Department Of Computer Engineering

Department Of Computer Engineering
Loadable Kernel Integrity Tools Eric Brandwine Todd MacDermid

Loadable Kernel Integrity Tools Eric Brandwine Todd MacDermid
The Programming Interface. Main Points Creating and managing processes – fork, exec, wait Performing I/O – open, read, write, close Communicating between.

The Programming Interface. Main Points Creating and managing processes – fork, exec, wait Performing I/O – open, read, write, close Communicating between.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.

Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.

Similar presentations

Ads by Google