1 / 13

The Guardian Kernel Module

The Guardian Kernel Module . Sarah Diesburg, Louis Brooks June 5, 2006. Introduction. St. Michael Linux Kernel Module Overview Functionality Upgrade Issues Our Kernel Module (The Guardian) Functionalities we will implement Screen shots of St. Michael in action. St. Michael Kernel Module.

melva
Download Presentation

The Guardian Kernel Module

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Guardian Kernel Module Sarah Diesburg, Louis Brooks June 5, 2006

  2. Introduction • St. Michael Linux Kernel Module • Overview • Functionality • Upgrade Issues • Our Kernel Module (The Guardian) • Functionalities we will implement • Screen shots of St. Michael in action

  3. St. Michael Kernel Module • Made for the 2.2 and 2.4 series of kernels. • Not maintained now. • Main purpose was to protect itself, the kernel, and the system call table from unauthorized modification. • Could even reload the running kernel from a restore point if kernel compromised.

  4. St. Michael Functionalities • The functionalities of St. Michael include: • Monitoring pointers to system calls for any changes. • The ability to cloak itself from the running kernel and commands like lsmod. • Monitoring the loading and unloading of modules to make sure other modules do not cloak themselves.

  5. St. Michael Functionalities (cont.) • Extensive md5 summing of critical functionalities such as: • /sbin/init and /proc/ksyms • System calls • Loaded modules • Kernel text • St. Michael’s own functions

  6. St. Michael Functionalities (cont.) • Setting and enforcing the immutable flag on important files. • Ability to reboot the system after compromise. • Ability to reload the running kernel or system call mappings. • Limiting write access to device /dev/kmem.

  7. St. Michael Upgrade Issues • The sys_call_table symbol is not exported in the 2.6 kernels. • We have two choices to work around this. • System calls have changed since the 2.2. and 2.4 kernels. • Module initializations may have changed since the 2.2 and 2.4 kernels.

  8. St. Michael Upgrade Issues (cont.) • There is no /proc/ksyms in the 2.6 kernel. • /proc/kallsyms might be a suitable replacement. • We need to use newer spinlocks. • St. Michael used the “big kernel lock” • St. Michael code is too long and complicated to fully upgrade. • We will implement a subset of its functionality. • Rewrite of module is in order.

  9. Our Kernel Module (The Guardian) • Our subset of functionalities will include: • Monitoring loading and unloading of modules • Wrappers around the load and unload system calls • Monitoring system call mappings • On system boot we will keep a local version of correct system call mapping and periodically check kernel’s version with a kernel timer.

  10. Our Kernel Module (The Guardian) • Monitor Integrity through md5 summing • Guardian (our module) • System calls • Modules • Kernel • Logging • Guardian activities • Ability to hide the guardian kernel module • No way to unload guardian without system reboot

  11. St. Michael syslog excerpts • Testing attack against St. Michael itself… Jun 3 14:20:48 hades kernel: --=={Loading StMichael 0.11 Jun 3 14:20:48 hades kernel: --=={StMichael 0.11 Successfully Loaded Jun 3 14:25:35 hades kernel: About to attack StMichael itself.... Jun 3 14:25:35 hades kernel: StMichael May Halt the System or Do other Nasty Stuff... Jun 3 14:25:35 hades kernel: Replacing Code at d4863c00. Jun 3 14:25:35 hades kernel: 0(STMICHAEL):Catastrophic LKM Rootkit Activity Detected. Kernel directly Modified. Jun 3 14:25:35 hades kernel: 0(STMICHAEL):The Kernel has been Reloaded. Jun 3 14:36:16 hades syslogd 1.4.1#10: restart.

  12. St. Michael syslog excerpts (cont.) • Attempting to replace a system call… Jun 3 14:38:40 hades kernel: --=={Loading StMichael 0.11 Jun 3 14:38:40 hades kernel: --=={StMichael 0.11 Successfully Loaded Jun 3 14:39:19 hades kernel: About to try replacing a systemcall... Jun 3 14:39:19 hades kernel: 0(STMICHAEL):Kernel Structures Modified. Attempting to Restore.

  13. St. Michael syslog excerpts (cont.) • Attempting to replace the kernel’s delete module function… Jun 3 14:41:45 hades kernel: About to Trash the Kernel's Delete Module.. Jun 3 14:41:45 hades kernel: If StMichael isn't in here, prepare for a panic. Jun 3 14:41:45 hades kernel: Replacing Code at c012845c. Jun 3 14:41:45 hades kernel: 0(STMICHAEL):Catastrophic LKM Rootkit Activity Detected. Kernel directly Modified. Jun 3 14:41:45 hades kernel: 0(STMICHAEL):The Kernel has been Reloaded. Jun 3 14:57:16 hades syslogd 1.4.1#10: restart.

More Related