kenfe-mickael laventure laurent malvert macquarie university 2008-09-19 lemona linux enhanced...
TRANSCRIPT
Kenfe-Mickael LaventureLaurent Malvert
Macquarie University2008-09-19
LEMONALinux Enhanced Monitoring
Architecture
Linux zest for security
Lemona – Linux Enhanced Monitoring Architecture 2 2008-09-19 Laventure / Malvert
Outline
• Security and Forensics– Forensics– Computer Security– Computer Forensics
• Related Work
• Lemona– Project– Overview– Architecture
• References
Lemona – Linux Enhanced Monitoring Architecture 3 2008-09-19 Laventure / Malvert
Forensics
• Short for “Forensic Science”
• Aims at:– Collecting Evidence– Providing Legal Proof (used in court)
• Concerned with Computers / Networks
Lemona – Linux Enhanced Monitoring Architecture 4 2008-09-19 Laventure / Malvert
Confidentiality
AvailabilityIntegrity
Computer Security
Lemona – Linux Enhanced Monitoring Architecture 5 2008-09-19 Laventure / Malvert
Computer Security
Lemona – Linux Enhanced Monitoring Architecture 6 2008-09-19 Laventure / Malvert
Computer Forensics
• Memory Analysis…– Volatile Memory (i.e. RAM)
– Optical Drives (i.e. CD-ROM)
– Magnetic Drives (i.e. HDD, Floppies)
• … but also Logs Analysis– Network– System
Lemona – Linux Enhanced Monitoring Architecture 7 2008-09-19 Laventure / Malvert
Computer Forensics
• Incomplete– Logs are not activated by default– Not everything is logged– Not all applications generate logs
• Unreliable– Generated in User Land– Editable by an Attacker
Lemona – Linux Enhanced Monitoring Architecture 8 2008-09-19 Laventure / Malvert
Outline
• Security and Forensics– Forensics– Computer Security– Computer Forensics
• Related Work
• Lemona– Project– Overview– Architecture
• References
Lemona – Linux Enhanced Monitoring Architecture 9 2008-09-19 Laventure / Malvert
Related Work
Forensix• + System Calls
Interception• + Attack
Reconstruction
Sarmoria• + Memory
Mapped Monitoring
• - Not State Aware
Kprobe / DjProbe
• + Dynamic Kernel Probing
• + Built in Kernel (but inactive)
ReVirt• +
Sandboxing
Lemona – Linux Enhanced Monitoring Architecture 10 2008-09-19 Laventure / Malvert
Outline
• Security and Forensics– Forensics– Computer Security– Computer Forensics
• Related Work
• Lemona– Project– Overview– Architecture
• References
Lemona – Linux Enhanced Monitoring Architecture 11 2008-09-19 Laventure / Malvert
Lemona > Project
• Open Architecture– Open Protocols– Open Source Implementation
• Decentralized– Local Tracing Components– Remote Monitoring Components
• Prevention, Detection, Forensics, Recovery– Possible…?
Lemona – Linux Enhanced Monitoring Architecture 12 2008-09-19 Laventure / Malvert
Lemona > Overview
• Exhaustiveness– Kernel Land Tracer 100% User Land Coverage
• Integrity– Harder to bypass Would require Kernel Level code– Integrity Checks
• Flexible– Variable Granularity Levels– Selectable Hooks
Lemona – Linux Enhanced Monitoring Architecture 13 2008-09-19 Laventure / Malvert
Lemona > ArchitectureUser Application
SysCall
Entry
Execution
Return
Memory Mapped File
Open
Read/Write Page Fault
Close
Inside Attackers
Outside Attackers
TargetStorage Point
Forensics Tools
Lemona tracestransmission
Architecture >
^Workflow / Hooks
Lemona – Linux Enhanced Monitoring Architecture 14 2008-09-19 Laventure / Malvert
Outline
• Security and Forensics– Forensics– Computer Security– Computer Forensics
• Related Work
• Lemona– Project– Overview– Architecture
• References
Lemona – Linux Enhanced Monitoring Architecture 15 2008-09-19 Laventure / Malvert
References > Lemona
[home] http://lemona.googlecode.com/
[blog] http://lemona-project.blogspot.com/
[wiki] http://lemona.googlecode.com/wiki/
[SCM] http://lemona.googlecode.com/svn/
[group] http://groups.google.com/group/lemona/
Lemona – Linux Enhanced Monitoring Architecture 16 2008-09-19 Laventure / Malvert
References > Related
– SARMORIA, C. G. & CHAPIN, S. J. (2005)Monitoring access to shared memory-mapped files.Proc. of the 2005 Digital Forensics Research Workshop (DFRWS). New Orleans.
– GOEL, A., FENG, W. C., MAIER, D. & WALPOLE, J. (2005)Forensix: a robust, high-performance reconstruction system.Distributed Computing Systems Workshops, 2005. 25th IEEE International Conference on, 155-162.
– KRISHNAKUMAR, R. (2005)Kernel korner: kprobes-a kernel debugger.Linux Journal, 2005.