Guardian Kernel Module

Sarah Diesburg &Louis Brooks

Introduction

• Previous Work – St. Michael

• Design Philosophy

• What we monitor– System Call Mappings– System Call Integrity– Module Hiding (cloaking)– Modifications to running modules

St. Michael

• Made for the 2.2 and 2.4 series of kernels.

• Not maintained now.

• Main purpose was to protect itself, the kernel, and the system call table from unauthorized modification.

• Could even reload the running kernel from a restore point if kernel compromised.

St. Michael (cont.)

• The functionalities of St. Michael include:– Monitoring pointers to system calls for any

changes.– The ability to cloak itself from the running

kernel and commands like lsmod.– Monitoring the loading and unloading of

modules to make sure other modules do not cloak themselves.

Kernel’s System Call Table

system call #0

system call #1

system call #2

system call #3

system call #n

System Call Table

System Call Mappings

• Initialization– We make a copy of the system call table

• Timer– Twice every second, we compare the kernel’s

system call table of pointers with our own.– If there are discrepancies, we replace the

kernel’s system call table with our own.

System Call Integrity

• Initialization– We take and store md5 sums of kernel’s

system calls.

• Timer– Twice every second we take new md5 sums of

the kernel’s system calls and compare them with our own.

– If there is a discrepancy, we point the kernel to a null system call until reboot.

How modules are loaded into the 2.6 Kernel

• insmod calls module_init– passes information regarding module to load

• module_init– calls module_load

• uses copy_from_user to pull module into kernel space

• creates the new module and returns a pointer to module for use by module_init

Kernel Module List

list_head

list_head

list_head

list_head

list_head

Module

Module

Module

Module

Module Monitoring

• Done in three phases– Module List Created at GKM init– Module init/delete

• Wrapper functions for module_init & module_delete• Changes to module loading from 2.4 to 2.6

– removed syscalls module_create and module_query– no pointer to new module available

• Access kernel module list through pointer to THIS_MODULE when GKM is initialized

– Timer • Check kernel module list and MD5 sums against GKM’s

internal list created at init

Module Monitoring (cont.)

• gkm_syscall_init_module– Calls Kernel’s original module_init syscall

• returns 0 on success

– Calls gkm_add_mod_list• checks for cloaked modules• creates md5 sums• adds module to GKM module list

Module Monitoring (cont.)

• gkm_syscall_delete_module– Checks if GKM is module to be unloaded

• returns –EBUSY if true

– Calls Kernel’s original module_delete syscall• returns 0 on success

– Calls gkm_delete_mod_list• delete module form list

Starting GKM

• Jun 15 15:37:18 localhost kernel: GKM: Initializing Guardian Kernel Module

• Jun 15 15:37:18 localhost kernel: GKM: Guardian Kernel Module Loaded

System Call Replacement Test

• Jun 15 15:38:19 localhost kernel: GKM: module system_call_replacement detected and loaded.

• Jun 15 15:38:19 localhost kernel: GKM: Found inconsistency in system call table!

• Jun 15 15:38:19 localhost kernel: GKM: System call mapping restored.

System Call Overwrite Test

• Jun 15 15:49:42 localhost kernel: About to overwrite chdir at address c0159050

• Jun 15 15:49:42 localhost kernel: GKM: module system_call_overwrite detected and loaded.

• Jun 15 15:49:42 localhost kernel: GKM: System call number 12 has been compromised!

• Jun 15 15:49:42 localhost kernel: GKM: Please look in unistd.h for the corresponding system call.

• Jun 15 15:49:42 localhost kernel: GKM: System call number 12 has been replaced with a null system call.

• Jun 15 15:49:42 localhost kernel: GKM: Please take appropriate action and reboot soon.

Module Cloaking Test

• Jun 15 16:03:12 localhost kernel: I'm still here...

• Jun 15 16:03:12 localhost kernel: GKM: Cloaked module inserted into system!

• Jun 15 16:03:12 localhost kernel: GKM: Please take appropriate action and reboot soon.

Module Overwrite Test

• Jun 15 16:03:33 localhost kernel: GKM: module module_overwrite detected and loaded.

• Jun 15 16:03:33 localhost kernel: GKM: Bad exit checksum for hello

• Jun 15 16:03:33 localhost kernel: GKM: Please take appropriate action and reboot soon.

Conclusion

• What’s next?– Sourceforge or Freshmeat

• Questions?