Download presentation
Presentation is loading. Please wait.
Published byClaire Goodman Modified over 8 years ago
1
1 The Guardian Kernel Module Sarah Diesburg, Louis Brooks June 5, 2006
2
2 Introduction St. Michael Linux Kernel Module St. Michael Linux Kernel Module –Overview –Functionality –Upgrade Issues Our Kernel Module (The Guardian) Our Kernel Module (The Guardian) –Functionalities we will implement Screen shots of St. Michael in action Screen shots of St. Michael in action
3
3 St. Michael Kernel Module Made for the 2.2 and 2.4 series of kernels. Made for the 2.2 and 2.4 series of kernels. Not maintained now. Not maintained now. Main purpose was to protect itself, the kernel, and the system call table from unauthorized modification. Main purpose was to protect itself, the kernel, and the system call table from unauthorized modification. Could even reload the running kernel from a restore point if kernel compromised. Could even reload the running kernel from a restore point if kernel compromised.
4
4 St. Michael Functionalities The functionalities of St. Michael include: The functionalities of St. Michael include: –Monitoring pointers to system calls for any changes. –The ability to cloak itself from the running kernel and commands like lsmod. –Monitoring the loading and unloading of modules to make sure other modules do not cloak themselves.
5
5 St. Michael Functionalities (cont.) Extensive md5 summing of critical functionalities such as: Extensive md5 summing of critical functionalities such as: –/sbin/init and /proc/ksyms –System calls –Loaded modules –Kernel text –St. Michael’s own functions
6
6 St. Michael Functionalities (cont.) Setting and enforcing the immutable flag on important files. Setting and enforcing the immutable flag on important files. Ability to reboot the system after compromise. Ability to reboot the system after compromise. Ability to reload the running kernel or system call mappings. Ability to reload the running kernel or system call mappings. Limiting write access to device /dev/kmem. Limiting write access to device /dev/kmem.
7
7 St. Michael Upgrade Issues The sys_call_table symbol is not exported in the 2.6 kernels. The sys_call_table symbol is not exported in the 2.6 kernels. –We have two choices to work around this. System calls have changed since the 2.2. and 2.4 kernels. System calls have changed since the 2.2. and 2.4 kernels. Module initializations may have changed since the 2.2 and 2.4 kernels. Module initializations may have changed since the 2.2 and 2.4 kernels.
8
8 St. Michael Upgrade Issues (cont.) There is no /proc/ksyms in the 2.6 kernel. There is no /proc/ksyms in the 2.6 kernel. –/proc/kallsyms might be a suitable replacement. We need to use newer spinlocks. We need to use newer spinlocks. –St. Michael used the “big kernel lock” St. Michael code is too long and complicated to fully upgrade. St. Michael code is too long and complicated to fully upgrade. –We will implement a subset of its functionality. –Rewrite of module is in order.
9
9 Our Kernel Module (The Guardian) Our subset of functionalities will include: Our subset of functionalities will include: –Monitoring loading and unloading of modules Wrappers around the load and unload system calls Wrappers around the load and unload system calls –Monitoring system call mappings On system boot we will keep a local version of correct system call mapping and periodically check kernel’s version with a kernel timer. On system boot we will keep a local version of correct system call mapping and periodically check kernel’s version with a kernel timer.
10
10 Our Kernel Module (The Guardian) –Monitor Integrity through md5 summing Guardian (our module) Guardian (our module) System calls System calls Modules Modules Kernel Kernel –Logging Guardian activities Guardian activities –Ability to hide the guardian kernel module –No way to unload guardian without system reboot
11
11 St. Michael syslog excerpts Testing attack against St. Michael itself… Testing attack against St. Michael itself… Jun 3 14:20:48 hades kernel: --=={Loading StMichael 0.11 Jun 3 14:20:48 hades kernel: --=={StMichael 0.11 Successfully Loaded Jun 3 14:25:35 hades kernel: About to attack StMichael itself.... Jun 3 14:25:35 hades kernel: StMichael May Halt the System or Do other Nasty Stuff... Jun 3 14:25:35 hades kernel: Replacing Code at d4863c00. Jun 3 14:25:35 hades kernel: 0(STMICHAEL):Catastrophic LKM Rootkit Activity Detected. Kernel directly Modified. Jun 3 14:25:35 hades kernel: 0(STMICHAEL):The Kernel has been Reloaded. Jun 3 14:36:16 hades syslogd 1.4.1#10: restart.
12
12 St. Michael syslog excerpts (cont.) Attempting to replace a system call… Attempting to replace a system call… Jun 3 14:38:40 hades kernel: --=={Loading StMichael 0.11 Jun 3 14:38:40 hades kernel: --=={StMichael 0.11 Successfully Loaded Jun 3 14:39:19 hades kernel: About to try replacing a systemcall... Jun 3 14:39:19 hades kernel: 0(STMICHAEL):Kernel Structures Modified. Attempting to Restore.
13
13 St. Michael syslog excerpts (cont.) Attempting to replace the kernel’s delete module function… Attempting to replace the kernel’s delete module function… Jun 3 14:41:45 hades kernel: About to Trash the Kernel's Delete Module.. Jun 3 14:41:45 hades kernel: If StMichael isn't in here, prepare for a panic. Jun 3 14:41:45 hades kernel: Replacing Code at c012845c. Jun 3 14:41:45 hades kernel: 0(STMICHAEL):Catastrophic LKM Rootkit Activity Detected. Kernel directly Modified. Jun 3 14:41:45 hades kernel: 0(STMICHAEL):The Kernel has been Reloaded. Jun 3 14:57:16 hades syslogd 1.4.1#10: restart.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.