The%20Guardian%20Kernel%20Module

1
The Guardian Kernel Module

• Sarah Diesburg, Louis Brooks
• June 5, 2006

2
Introduction

• St. Michael Linux Kernel Module
• Overview
• Functionality
• Upgrade Issues
• Our Kernel Module (The Guardian)
• Functionalities we will implement
• Screen shots of St. Michael in action

3
St. Michael Kernel Module

• Made for the 2.2 and 2.4 series of kernels.
• Not maintained now.
• Main purpose was to protect itself, the kernel,
  and the system call table from unauthorized
  modification.
• Could even reload the running kernel from a
  restore point if kernel compromised.

4
St. Michael Functionalities

• The functionalities of St. Michael include
• Monitoring pointers to system calls for any
  changes.
• The ability to cloak itself from the running
  kernel and commands like lsmod.
• Monitoring the loading and unloading of modules
  to make sure other modules do not cloak
  themselves.

5
St. Michael Functionalities (cont.)

• Extensive md5 summing of critical functionalities
  such as
• /sbin/init and /proc/ksyms
• System calls
• Loaded modules
• Kernel text
• St. Michaels own functions

6
St. Michael Functionalities (cont.)

• Setting and enforcing the immutable flag on
  important files.
• Ability to reboot the system after compromise.
• Ability to reload the running kernel or system
  call mappings.
• Limiting write access to device /dev/kmem.

7
St. Michael Upgrade Issues

• The sys_call_table symbol is not exported in the
  2.6 kernels.
• We have two choices to work around this.
• System calls have changed since the 2.2. and 2.4
  kernels.
• Module initializations may have changed since the
  2.2 and 2.4 kernels.

8
St. Michael Upgrade Issues (cont.)

• There is no /proc/ksyms in the 2.6 kernel.
• /proc/kallsyms might be a suitable replacement.
• We need to use newer spinlocks.
• St. Michael used the big kernel lock
• St. Michael code is too long and complicated to
  fully upgrade.
• We will implement a subset of its functionality.
• Rewrite of module is in order.

9
Our Kernel Module (The Guardian)

• Our subset of functionalities will include
• Monitoring loading and unloading of modules
• Wrappers around the load and unload system calls
• Monitoring system call mappings
• On system boot we will keep a local version of
  correct system call mapping and periodically
  check kernels version with a kernel timer.

10
Our Kernel Module (The Guardian)

• Monitor Integrity through md5 summing
• Guardian (our module)
• System calls
• Modules
• Kernel
• Logging
• Guardian activities
• Ability to hide the guardian kernel module
• No way to unload guardian without system reboot

11
St. Michael syslog excerpts

• Testing attack against St. Michael itself
• Jun 3 142048 hades kernel --Loading
  StMichael 0.11
• Jun 3 142048 hades kernel --StMichael 0.11
  Successfully Loaded
• Jun 3 142535 hades kernel About to attack
  StMichael itself....
• Jun 3 142535 hades kernel StMichael May Halt
  the System or Do other Nasty Stuff...
• Jun 3 142535 hades kernel Replacing Code at
  d4863c00.
• Jun 3 142535 hades kernel 0(STMICHAEL)Catastr
  ophic LKM Rootkit Activity Detected. Kernel
  directly Modified.
• Jun 3 142535 hades kernel 0(STMICHAEL)The
  Kernel has been Reloaded.
• Jun 3 143616 hades syslogd 1.4.110 restart.

12
St. Michael syslog excerpts (cont.)

• Attempting to replace a system call
• Jun 3 143840 hades kernel --Loading
  StMichael 0.11
• Jun 3 143840 hades kernel --StMichael 0.11
  Successfully Loaded
• Jun 3 143919 hades kernel About to try
  replacing a systemcall...
• Jun 3 143919 hades kernel 0(STMICHAEL)Kernel
  Structures Modified. Attempting to Restore.

13
St. Michael syslog excerpts (cont.)

• Attempting to replace the kernels delete module
  function
• Jun 3 144145 hades kernel About to Trash the
  Kernel's Delete Module..
• Jun 3 144145 hades kernel If StMichael isn't
  in here, prepare for a panic.
• Jun 3 144145 hades kernel Replacing Code at
  c012845c.
• Jun 3 144145 hades kernel 0(STMICHAEL)Catastr
  ophic LKM Rootkit Activity Detected. Kernel
  directly Modified.
• Jun 3 144145 hades kernel 0(STMICHAEL)The
  Kernel has been Reloaded.
• Jun 3 145716 hades syslogd 1.4.110 restart.