Guardian Kernel Module

Document Sample
Guardian Kernel Module Powered By Docstoc
					Guardian Kernel
Module




      Sarah Diesburg &
      Louis Brooks
               Introduction

• Previous Work – St. Michael
• Design Philosophy
• What we monitor
  – System Call Mappings
  – System Call Integrity
  – Module Hiding (cloaking)
  – Modifications to running modules
               St. Michael

• Made for the 2.2 and 2.4 series of kernels.
• Not maintained now.
• Main purpose was to protect itself, the
  kernel, and the system call table from
  unauthorized modification.
• Could even reload the running kernel from
  a restore point if kernel compromised.
                St. Michael (cont.)

• The functionalities of St. Michael include:
  – Monitoring pointers to system calls for any
    changes.
  – The ability to cloak itself from the running
    kernel and commands like lsmod.
  – Monitoring the loading and unloading of
    modules to make sure other modules do not
    cloak themselves.
                    Kernel’s System Call
                    Table


System Call Table

                               system call #0

                               system call #1

                               system call #2

                               system call #3


                               system call #n
                   System Call Mappings

• Initialization
  – We make a copy of the system call table
• Timer
  – Twice every second, we compare the kernel’s
    system call table of pointers with our own.
  – If there are discrepancies, we replace the
    kernel’s system call table with our own.
                   System Call Integrity

• Initialization
  – We take and store md5 sums of kernel’s
    system calls.
• Timer
  – Twice every second we take new md5 sums of
    the kernel’s system calls and compare them
    with our own.
  – If there is a discrepancy, we point the kernel to
    a null system call until reboot.
                How modules are loaded
                into the 2.6 Kernel

• insmod calls module_init
  – passes information regarding module to load
• module_init
  – calls module_load
    • uses copy_from_user to pull module into kernel
      space
    • creates the new module and returns a pointer to
      module for use by module_init
                     Kernel Module List

                        list_head




                                                list_head
list_head



Module                                          Module




         list_head                  list_head



       Module                       Module
                        Module Monitoring

•   Done in three phases
    –   Module List Created at GKM init
    –   Module init/delete
        •   Wrapper functions for module_init & module_delete
        •   Changes to module loading from 2.4 to 2.6
            –   removed syscalls module_create and module_query
            –   no pointer to new module available
        •   Access kernel module list through pointer to
            THIS_MODULE when GKM is initialized
    –   Timer
        •   Check kernel module list and MD5 sums against GKM’s
            internal list created at init
                 Module Monitoring
                 (cont.)

• gkm_syscall_init_module
  – Calls Kernel’s original module_init syscall
     • returns 0 on success
  – Calls gkm_add_mod_list
     • checks for cloaked modules
     • creates md5 sums
     • adds module to GKM module list
                 Module Monitoring
                 (cont.)

• gkm_syscall_delete_module
  – Checks if GKM is module to be unloaded
    • returns –EBUSY if true
  – Calls Kernel’s original module_delete syscall
    • returns 0 on success
  – Calls gkm_delete_mod_list
    • delete module form list
                   Starting GKM

• Jun 15 15:37:18 localhost kernel: GKM: Initializing
  Guardian Kernel Module

• Jun 15 15:37:18 localhost kernel: GKM: Guardian Kernel
  Module Loaded
                  System Call
                  Replacement Test
• Jun 15 15:38:19 localhost kernel: GKM: module
  system_call_replacement detected and loaded.

• Jun 15 15:38:19 localhost kernel: GKM: Found
  inconsistency in system call table!

• Jun 15 15:38:19 localhost kernel: GKM: System call
  mapping restored.
                   System Call Overwrite
                   Test
• Jun 15 15:49:42 localhost kernel: About to overwrite chdir
  at address c0159050
• Jun 15 15:49:42 localhost kernel: GKM: module
  system_call_overwrite detected and loaded.
• Jun 15 15:49:42 localhost kernel: GKM: System call
  number 12 has been compromised!
• Jun 15 15:49:42 localhost kernel: GKM: Please look in
  unistd.h for the corresponding system call.
• Jun 15 15:49:42 localhost kernel: GKM: System call
  number 12 has been replaced with a null system call.
• Jun 15 15:49:42 localhost kernel: GKM: Please take
  appropriate action and reboot soon.
                    Module Cloaking Test

• Jun 15 16:03:12 localhost kernel: I'm still here...

• Jun 15 16:03:12 localhost kernel: GKM: Cloaked module
  inserted into system!

• Jun 15 16:03:12 localhost kernel: GKM: Please take
  appropriate action and reboot soon.
                   Module Overwrite Test

• Jun 15 16:03:33 localhost kernel: GKM: module
  module_overwrite detected and loaded.

• Jun 15 16:03:33 localhost kernel: GKM: Bad exit
  checksum for hello

• Jun 15 16:03:33 localhost kernel: GKM: Please take
  appropriate action and reboot soon.
               Conclusion

• What’s next?
  – Sourceforge or Freshmeat
• Questions?