Guardian Kernel Module - PowerPoint PPT Presentation

About This Presentation
Title:

Guardian Kernel Module

Description:

Sarah Diesburg & Louis Brooks Introduction Previous Work St. Michael Design Philosophy What we monitor System Call Mappings System Call Integrity Module Hiding ... – PowerPoint PPT presentation

Number of Views:53
Avg rating:3.0/5.0
Slides: 19
Provided by: SAIT152
Category:

less

Transcript and Presenter's Notes

Title: Guardian Kernel Module


1
Guardian Kernel Module
  • Sarah Diesburg
  • Louis Brooks

2
Introduction
  • Previous Work St. Michael
  • Design Philosophy
  • What we monitor
  • System Call Mappings
  • System Call Integrity
  • Module Hiding (cloaking)
  • Modifications to running modules

3
St. Michael
  • Made for the 2.2 and 2.4 series of kernels.
  • Not maintained now.
  • Main purpose was to protect itself, the kernel,
    and the system call table from unauthorized
    modification.
  • Could even reload the running kernel from a
    restore point if kernel compromised.

4
St. Michael (cont.)
  • The functionalities of St. Michael include
  • Monitoring pointers to system calls for any
    changes.
  • The ability to cloak itself from the running
    kernel and commands like lsmod.
  • Monitoring the loading and unloading of modules
    to make sure other modules do not cloak
    themselves.

5
Kernels System Call Table
System Call Table
system call 0
system call 1
system call 2
system call 3
system call n
6
System Call Mappings
  • Initialization
  • We make a copy of the system call table
  • Timer
  • Twice every second, we compare the kernels
    system call table of pointers with our own.
  • If there are discrepancies, we replace the
    kernels system call table with our own.

7
System Call Integrity
  • Initialization
  • We take and store md5 sums of kernels system
    calls.
  • Timer
  • Twice every second we take new md5 sums of the
    kernels system calls and compare them with our
    own.
  • If there is a discrepancy, we point the kernel to
    a null system call until reboot.

8
How modules are loaded into the 2.6 Kernel
  • insmod calls module_init
  • passes information regarding module to load
  • module_init
  • calls module_load
  • uses copy_from_user to pull module into kernel
    space
  • creates the new module and returns a pointer to
    module for use by module_init

9
Kernel Module List
list_head
list_head
list_head
Module
Module
list_head
list_head
Module
Module
10
Module Monitoring
  • Done in three phases
  • Module List Created at GKM init
  • Module init/delete
  • Wrapper functions for module_init module_delete
  • Changes to module loading from 2.4 to 2.6
  • removed syscalls module_create and module_query
  • no pointer to new module available
  • Access kernel module list through pointer to
    THIS_MODULE when GKM is initialized
  • Timer
  • Check kernel module list and MD5 sums against
    GKMs internal list created at init

11
Module Monitoring (cont.)
  • gkm_syscall_init_module
  • Calls Kernels original module_init syscall
  • returns 0 on success
  • Calls gkm_add_mod_list
  • checks for cloaked modules
  • creates md5 sums
  • adds module to GKM module list

12
Module Monitoring (cont.)
  • gkm_syscall_delete_module
  • Checks if GKM is module to be unloaded
  • returns EBUSY if true
  • Calls Kernels original module_delete syscall
  • returns 0 on success
  • Calls gkm_delete_mod_list
  • delete module form list

13
Starting GKM
  • Jun 15 153718 localhost kernel GKM
    Initializing Guardian Kernel Module
  • Jun 15 153718 localhost kernel GKM Guardian
    Kernel Module Loaded

14
System Call Replacement Test
  • Jun 15 153819 localhost kernel GKM module
    system_call_replacement detected and loaded.
  • Jun 15 153819 localhost kernel GKM Found
    inconsistency in system call table!
  • Jun 15 153819 localhost kernel GKM System
    call mapping restored.

15
System Call Overwrite Test
  • Jun 15 154942 localhost kernel About to
    overwrite chdir at address c0159050
  • Jun 15 154942 localhost kernel GKM module
    system_call_overwrite detected and loaded.
  • Jun 15 154942 localhost kernel GKM System
    call number 12 has been compromised!
  • Jun 15 154942 localhost kernel GKM Please
    look in unistd.h for the corresponding system
    call.
  • Jun 15 154942 localhost kernel GKM System
    call number 12 has been replaced with a null
    system call.
  • Jun 15 154942 localhost kernel GKM Please
    take appropriate action and reboot soon.

16
Module Cloaking Test
  • Jun 15 160312 localhost kernel I'm still
    here...
  • Jun 15 160312 localhost kernel GKM Cloaked
    module inserted into system!
  • Jun 15 160312 localhost kernel GKM Please
    take appropriate action and reboot soon.

17
Module Overwrite Test
  • Jun 15 160333 localhost kernel GKM module
    module_overwrite detected and loaded.
  • Jun 15 160333 localhost kernel GKM Bad exit
    checksum for hello
  • Jun 15 160333 localhost kernel GKM Please
    take appropriate action and reboot soon.

18
Conclusion
  • Whats next?
  • Sourceforge or Freshmeat
  • Questions?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Guardian Kernel Module" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!