The Guardian Kernel Module Sarah Diesburg Louis Brooks

The Guardian Kernel Module Sarah Diesburg, Louis Brooks June 5, 2006 1

Introduction • St. Michael Linux Kernel Module – Overview – Functionality – Upgrade Issues • Our Kernel Module (The Guardian) – Functionalities we will implement • Screen shots of St. Michael in action 2

St. Michael Kernel Module • Made for the 2. 2 and 2. 4 series of kernels. • Not maintained now. • Main purpose was to protect itself, the kernel, and the system call table from unauthorized modification. • Could even reload the running kernel from a restore point if kernel compromised. 3

St. Michael Functionalities • The functionalities of St. Michael include: – Monitoring pointers to system calls for any changes. – The ability to cloak itself from the running kernel and commands like lsmod. – Monitoring the loading and unloading of modules to make sure other modules do not cloak themselves. 4

St. Michael Functionalities (cont. ) • Extensive md 5 summing of critical functionalities such as: – /sbin/init and /proc/ksyms – System calls – Loaded modules – Kernel text – St. Michael’s own functions 5

St. Michael Functionalities (cont. ) • Setting and enforcing the immutable flag on important files. • Ability to reboot the system after compromise. • Ability to reload the running kernel or system call mappings. • Limiting write access to device /dev/kmem. 6

St. Michael Upgrade Issues • The sys_call_table symbol is not exported in the 2. 6 kernels. – We have two choices to work around this. • System calls have changed since the 2. 2. and 2. 4 kernels. • Module initializations may have changed since the 2. 2 and 2. 4 kernels. 7

St. Michael Upgrade Issues (cont. ) • There is no /proc/ksyms in the 2. 6 kernel. – /proc/kallsyms might be a suitable replacement. • We need to use newer spinlocks. – St. Michael used the “big kernel lock” • St. Michael code is too long and complicated to fully upgrade. – We will implement a subset of its functionality. – Rewrite of module is in order. 8

Our Kernel Module (The Guardian) • Our subset of functionalities will include: – Monitoring loading and unloading of modules • Wrappers around the load and unload system calls – Monitoring system call mappings • On system boot we will keep a local version of correct system call mapping and periodically check kernel’s version with a kernel timer. 9

Our Kernel Module (The Guardian) – Monitor Integrity through md 5 summing • Guardian (our module) • System calls • Modules • Kernel – Logging • Guardian activities – Ability to hide the guardian kernel module – No way to unload guardian without system reboot 10

St. Michael syslog excerpts • Testing attack against St. Michael itself… Jun 3 14: 20: 48 hades kernel: --=={Loading St. Michael 0. 11 Jun 3 14: 20: 48 hades kernel: --=={St. Michael 0. 11 Successfully Loaded Jun 3 14: 25: 35 hades kernel: About to attack St. Michael itself. . Jun 3 14: 25: 35 hades kernel: St. Michael May Halt the System or Do other Nasty Stuff. . . Jun 3 14: 25: 35 hades kernel: Replacing Code at d 4863 c 00. Jun 3 14: 25: 35 hades kernel: 0(STMICHAEL): Catastrophic LKM Rootkit Activity Detected. Kernel directly Modified. Jun 3 14: 25: 35 hades kernel: 0(STMICHAEL): The Kernel has been Reloaded. Jun 3 14: 36: 16 hades syslogd 1. 4. 1#10: restart. 11

St. Michael syslog excerpts (cont. ) • Attempting to replace a system call… Jun 3 14: 38: 40 hades kernel: --=={Loading St. Michael 0. 11 Jun 3 14: 38: 40 hades kernel: --=={St. Michael 0. 11 Successfully Loaded Jun 3 14: 39: 19 hades kernel: About to try replacing a systemcall. . . Jun 3 14: 39: 19 hades kernel: 0(STMICHAEL): Kernel Structures Modified. Attempting to Restore. 12

St. Michael syslog excerpts (cont. ) • Attempting to replace the kernel’s delete module function… Jun 3 14: 41: 45 hades kernel: About to Trash the Kernel's Delete Module. . Jun 3 14: 41: 45 hades kernel: If St. Michael isn't in here, prepare for a panic. Jun 3 14: 41: 45 hades kernel: Replacing Code at c 012845 c. Jun 3 14: 41: 45 hades kernel: 0(STMICHAEL): Catastrophic LKM Rootkit Activity Detected. Kernel directly Modified. Jun 3 14: 41: 45 hades kernel: 0(STMICHAEL): The Kernel has been Reloaded. Jun 3 14: 57: 16 hades syslogd 1. 4. 1#10: restart. 13