Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kenfe-Mickaël Laventure Laurent Malvert Macquarie University 2008-11-12 LEMONA Linux Enhanced Monitoring Architecture Linux zest for security.

Published byDaniel Lang Modified over 9 years ago

Similar presentations

Presentation on theme: "Kenfe-Mickaël Laventure Laurent Malvert Macquarie University 2008-11-12 LEMONA Linux Enhanced Monitoring Architecture Linux zest for security."— Presentation transcript:

1 Kenfe-Mickaël Laventure Laurent Malvert Macquarie University 2008-11-12 LEMONA Linux Enhanced Monitoring Architecture Linux zest for security

2 Lemona – Linux Enhanced Monitoring Architecture22008-11-12Laventure / Malvert Outline Lemona –Project –Overview –Architecture –Workflow –Code Review Macros Structures Mixers Blades –Build –Load / Unload References

3 Lemona – Linux Enhanced Monitoring Architecture32008-11-12Laventure / Malvert Lemona > Project Open Architecture –Open Protocols –Open Source Implementation Decentralized –Local Tracing Components –Remote Monitoring Components Prevention, Detection, Forensics, Recovery –Possible…?

4 Lemona – Linux Enhanced Monitoring Architecture42008-11-12Laventure / Malvert Lemona > Overview Exhaustiveness –Kernel Land Tracer  100% User Land Coverage Integrity –Harder to bypass  Would require Kernel Level code –Integrity Checks Flexible –Variable Granularity Levels –Selectable Hooks

5 Lemona – Linux Enhanced Monitoring Architecture52008-11-12Laventure / Malvert Lemona > Architecture User Application SysCallEntryExecutionReturn Memory Mapped File Open Read/Write Page Fault Close Inside Attackers Outside Attackers Target Storage Point Forensics Tools Lemona traces transmission Architecture > ^ Workflow / Hooks

6 Lemona – Linux Enhanced Monitoring Architecture62008-11-12Laventure / Malvert Lemona > Workflow

7

8 Lemona – Linux Enhanced Monitoring Architecture82008-11-12Laventure / Malvert Lemona > Code Review Lemona –Statically compiled; or –Loaded as a Linux Kernel Module Mixers –Definitions of structures and function pointers –to record system call activity Blades –Predefined functions to process system calls’ parameters Zests –Custom structures to transfer and store records

9 Lemona – Linux Enhanced Monitoring Architecture92008-11-12Laventure / Malvert Lemona > Macros extern atomic_tlemona_activated; static lemonalogfn_lemona_log= NULL; # define lemona_block_start\ if (atomic_read(&lemona_activated) != 0)\ { # define lemona_log_in(sysnr, argnr, extnr,...)\ __lemona_log(sysnr, true, argnr, extnr, ## __VA_ARGS__) # define lemona_log_out(sysnr, argnr, extnr,...)\ __lemona_log(sysnr, false, argnr, extnr, ## __VA_ARGS__) # define lemona_block_end\ }\ else {\ _lemona_log = NULL;\ } #define __lemona_log(sysnr, in, argnr, extnr,...) {\ if (_lemona_log == NULL)\ _lemona_log = (lemonalogfn)kallsyms_lookup_name("lemona_log");\ _lemona_log(sysnr, in, argnr, extnr, ## __VA_ARGS__);\ }

10 Lemona – Linux Enhanced Monitoring Architecture102008-11-12Laventure / Malvert Lemona > Macros lemona_block_start { lemona_log_in(__NR_open, 3, 0, filename, &flags, &mode); } lemona_block_end; preprocessing (CPP) if (atomic_read(&lemona_activated) != 0) { if (_lemona_log == NULL) _lemona_log = (lemonalogfn)kallsyms_lookup_name("lemona_log"); _lemona_log(__NR_open, true, 3, 0, filename, &flags, &mode); } else { _lemona_log = NULL; }

11 Lemona – Linux Enhanced Monitoring Architecture112008-11-12Laventure / Malvert Lemona > Structures structlemona_zest { charmagic[4];/* magic number*/ intsize; /* size taken by this zest and args sz/value*/ intin;/* input or output ?*/ struct timespectime;/* call start/end time (getnstimeofday)*/ pid_tpid;/* actual pid*/ pid_t tgid;/* thread group id*/ uid_tuid,euid,fsuid; /* user identification numbers*/ gid_tgid,egid,fsgid; /* group identification numbers*/ intsysnr; /* syscall id*/ intargnr;/* number of args*/ int*argsz;/* ptr to an array of int giving each arg size*/ void*args;/* ptr to the first argument of the array*/ intextnr;/* extra value number*/ int*extsz;/* size of each extension*/ void*exts;/* extra values. located after the last arg*/ } __attribute__((packed));

12 Lemona – Linux Enhanced Monitoring Architecture122008-11-12Laventure / Malvert Lemona > Structures structlemona_mixer { intsysnr;/* system call number*/ struct __lemona_mixerin;/* call entrance mixer*/ struct __lemona_mixerout;/* call exit mixer*/ } struct__lemona_mixer { intargnr;/* number of syscall parameters*/ intextnr;/* number of extra parameters*/ struct __lemona_mixer_handlerhandlers[6];/* pre-defined handlers*/ }; struct__lemona_mixer_handler { booldual;/* is this a dual blade?*/ bladefnblade;/* number of extra parameters*/ }; typedef int(*bladefn)(struct lemona_zest*zest,/* zest to fill*/ intisExt,/* is an extra?*/ intidx,/* which arg/ext?*/ intoff,/* memory offset*/ void*fruit1, /* 1st data arg*/ void*fruit2);/* 2nd data arg*/

13 Lemona – Linux Enhanced Monitoring Architecture132008-11-12Laventure / Malvert Lemona > Mixers const struct lemona_mixerlemona_mixers[]= { /*... */ {.sysnr= __NR_open,.in= {.argnr= 3,.extnr= 0,.handlers= { {.dual= false,.blade = lemona_blade_string_null}, {.dual= false,.blade = lemona_blade_integer}, } },.out= {.argnr= 1,.extnr= 1,.handlers= { {.dual= false,.blade = lemona_blade_integer}, {.dual= false,.blade = lemona_blade_string_fd}, }, } }, /*... */ };

14 Lemona – Linux Enhanced Monitoring Architecture142008-11-12Laventure / Malvert Lemona > Blades (blades/generics.c)Generics intlemona_blade_integer(...); intlemona_blade_integer64(...); intlemona_blade_long(...); intlemona_blade_long_long(...); intlemona_blade_output_buffer(...); (blades/strings.c)Strings intlemona_blade_string_null(...); intlemona_blade_string_fd(...); (blades/iovec.c)Input/Output Vectors intlemona_blade_iovec(...);

15 Lemona – Linux Enhanced Monitoring Architecture152008-11-12Laventure / Malvert Lemona > Build $> cd $(PATH_TO_KERNEL_SRC) $> wget http://lemona.googlecode.com/svn/trunk/patchs/patch-2.6.26.3 http://lemona.googlecode.com/svn/trunk/patchs/patch-2.6.26.3 $> patch -p1 < patch-2.6.26.3 $> make menuconfig $> make && makes modules_install && make install

16 Lemona – Linux Enhanced Monitoring Architecture162008-11-12Laventure / Malvert Lemona > Load / Unload $> cd $(PATH_TO_MODULES) $> sudo insmod./lemona.ko $> dmesg | tail -2 -==Lemona==- Initialization for kernel tree 2.6.26.3... -==Lemona==- Done. $> sudo rmmod lemona $> dmesg | tail -2 -==Lemona==- Uninitializing... -==Lemona==- Done.

17 Lemona – Linux Enhanced Monitoring Architecture172008-11-12Laventure / Malvert Outline Security and Forensics –Forensics –Computer Security –Computer Forensics Related Work Lemona –Project –Overview –Architecture References

18 Lemona – Linux Enhanced Monitoring Architecture182008-11-12Laventure / Malvert References [home]http://lemona.googlecode.com/http://lemona.googlecode.com/ [blog]http://lemona-project.blogspot.com/http://lemona-project.blogspot.com/ [wiki]http://lemona.googlecode.com/wiki/http://lemona.googlecode.com/wiki/ [SCM]http://lemona.googlecode.com/svn/http://lemona.googlecode.com/svn/ [group]http://groups.google.com/group/lemona/http://groups.google.com/group/lemona/

Download ppt "Kenfe-Mickaël Laventure Laurent Malvert Macquarie University 2008-11-12 LEMONA Linux Enhanced Monitoring Architecture Linux zest for security."

Similar presentations

Symbol Table.

Symbol Table.
Threads, SMP, and Microkernels

Threads, SMP, and Microkernels
Christo Wilson Project 2: User Programs in Pintos

Christo Wilson Project 2: User Programs in Pintos
Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Introduction to Memory Management. 2 General Structure of Run-Time Memory.
1 (Review of Prerequisite Material). Processes are an abstraction of the operation of computers. So, to understand operating systems, one must have a.

1 (Review of Prerequisite Material). Processes are an abstraction of the operation of computers. So, to understand operating systems, one must have a.
PSUCS322 HM 1 Languages and Compiler Design II IR Code Generation I Material provided by Prof. Jingke Li Stolen with pride and modified by Herb Mayer PSU.

PSUCS322 HM 1 Languages and Compiler Design II IR Code Generation I Material provided by Prof. Jingke Li Stolen with pride and modified by Herb Mayer PSU.
CSCC69: Operating Systems

CSCC69: Operating Systems
Building and Running Modules Sarah Diesburg COP 5641.

Building and Running Modules Sarah Diesburg COP 5641.
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.

Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
1 Pointers A pointer variable holds an address We may add or subtract an integer to get a different address. Adding an integer k to a pointer p with base.

1 Pointers A pointer variable holds an address We may add or subtract an integer to get a different address. Adding an integer k to a pointer p with base.
Chapter 9 Subprogram Control Consider program as a tree- –Each parent calls (transfers control to) child –Parent resumes when child completes –Copy rule.

Chapter 9 Subprogram Control Consider program as a tree- –Each parent calls (transfers control to) child –Parent resumes when child completes –Copy rule.
Security at the VMM Layer Theodore Winograd OWASP June 14, 2007.

Security at the VMM Layer Theodore Winograd OWASP June 14, 2007.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
40 Advanced Operating Systems Implementing System Calls.

40 Advanced Operating Systems Implementing System Calls.
Overview C programming Environment C Global Variables C Local Variables Memory Map for a C Function C Activation Records Example Compilation.

Overview C programming Environment C Global Variables C Local Variables Memory Map for a C Function C Activation Records Example Compilation.
CSE 451 Section 4 Project 2 Design Considerations.

CSE 451 Section 4 Project 2 Design Considerations.
Linux Operating System

Linux Operating System
PRASHANTHI NARAYAN NETTEM.

PRASHANTHI NARAYAN NETTEM.
Fork and Exec Unix Model Tutorial 3. Process Management Model The Unix process management model is split into two distinct operations : 1. The creation.

Fork and Exec Unix Model Tutorial 3. Process Management Model The Unix process management model is split into two distinct operations : 1. The creation.
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Similar presentations

Ads by Google