kenfe-mickael laventure laurent malvert macquarie university 2008-09-19 lemona linux enhanced...
TRANSCRIPT
![Page 1: Kenfe-Mickael Laventure Laurent Malvert Macquarie University 2008-09-19 LEMONA Linux Enhanced Monitoring Architecture Linux zest for security](https://reader035.vdocuments.net/reader035/viewer/2022081816/56649f1c5503460f94c329b0/html5/thumbnails/1.jpg)
Kenfe-Mickael LaventureLaurent Malvert
Macquarie University2008-09-19
LEMONALinux Enhanced Monitoring
Architecture
Linux zest for security
![Page 2: Kenfe-Mickael Laventure Laurent Malvert Macquarie University 2008-09-19 LEMONA Linux Enhanced Monitoring Architecture Linux zest for security](https://reader035.vdocuments.net/reader035/viewer/2022081816/56649f1c5503460f94c329b0/html5/thumbnails/2.jpg)
Lemona – Linux Enhanced Monitoring Architecture 2 2008-09-19 Laventure / Malvert
Outline
• Security and Forensics– Forensics– Computer Security– Computer Forensics
• Related Work
• Lemona– Project– Overview– Architecture
• References
![Page 3: Kenfe-Mickael Laventure Laurent Malvert Macquarie University 2008-09-19 LEMONA Linux Enhanced Monitoring Architecture Linux zest for security](https://reader035.vdocuments.net/reader035/viewer/2022081816/56649f1c5503460f94c329b0/html5/thumbnails/3.jpg)
Lemona – Linux Enhanced Monitoring Architecture 3 2008-09-19 Laventure / Malvert
Forensics
• Short for “Forensic Science”
• Aims at:– Collecting Evidence– Providing Legal Proof (used in court)
• Concerned with Computers / Networks
![Page 4: Kenfe-Mickael Laventure Laurent Malvert Macquarie University 2008-09-19 LEMONA Linux Enhanced Monitoring Architecture Linux zest for security](https://reader035.vdocuments.net/reader035/viewer/2022081816/56649f1c5503460f94c329b0/html5/thumbnails/4.jpg)
Lemona – Linux Enhanced Monitoring Architecture 4 2008-09-19 Laventure / Malvert
Confidentiality
AvailabilityIntegrity
Computer Security
![Page 5: Kenfe-Mickael Laventure Laurent Malvert Macquarie University 2008-09-19 LEMONA Linux Enhanced Monitoring Architecture Linux zest for security](https://reader035.vdocuments.net/reader035/viewer/2022081816/56649f1c5503460f94c329b0/html5/thumbnails/5.jpg)
Lemona – Linux Enhanced Monitoring Architecture 5 2008-09-19 Laventure / Malvert
Computer Security
![Page 6: Kenfe-Mickael Laventure Laurent Malvert Macquarie University 2008-09-19 LEMONA Linux Enhanced Monitoring Architecture Linux zest for security](https://reader035.vdocuments.net/reader035/viewer/2022081816/56649f1c5503460f94c329b0/html5/thumbnails/6.jpg)
Lemona – Linux Enhanced Monitoring Architecture 6 2008-09-19 Laventure / Malvert
Computer Forensics
• Memory Analysis…– Volatile Memory (i.e. RAM)
– Optical Drives (i.e. CD-ROM)
– Magnetic Drives (i.e. HDD, Floppies)
• … but also Logs Analysis– Network– System
![Page 7: Kenfe-Mickael Laventure Laurent Malvert Macquarie University 2008-09-19 LEMONA Linux Enhanced Monitoring Architecture Linux zest for security](https://reader035.vdocuments.net/reader035/viewer/2022081816/56649f1c5503460f94c329b0/html5/thumbnails/7.jpg)
Lemona – Linux Enhanced Monitoring Architecture 7 2008-09-19 Laventure / Malvert
Computer Forensics
• Incomplete– Logs are not activated by default– Not everything is logged– Not all applications generate logs
• Unreliable– Generated in User Land– Editable by an Attacker
![Page 8: Kenfe-Mickael Laventure Laurent Malvert Macquarie University 2008-09-19 LEMONA Linux Enhanced Monitoring Architecture Linux zest for security](https://reader035.vdocuments.net/reader035/viewer/2022081816/56649f1c5503460f94c329b0/html5/thumbnails/8.jpg)
Lemona – Linux Enhanced Monitoring Architecture 8 2008-09-19 Laventure / Malvert
Outline
• Security and Forensics– Forensics– Computer Security– Computer Forensics
• Related Work
• Lemona– Project– Overview– Architecture
• References
![Page 9: Kenfe-Mickael Laventure Laurent Malvert Macquarie University 2008-09-19 LEMONA Linux Enhanced Monitoring Architecture Linux zest for security](https://reader035.vdocuments.net/reader035/viewer/2022081816/56649f1c5503460f94c329b0/html5/thumbnails/9.jpg)
Lemona – Linux Enhanced Monitoring Architecture 9 2008-09-19 Laventure / Malvert
Related Work
Forensix• + System Calls
Interception• + Attack
Reconstruction
Sarmoria• + Memory
Mapped Monitoring
• - Not State Aware
Kprobe / DjProbe
• + Dynamic Kernel Probing
• + Built in Kernel (but inactive)
ReVirt• +
Sandboxing
![Page 10: Kenfe-Mickael Laventure Laurent Malvert Macquarie University 2008-09-19 LEMONA Linux Enhanced Monitoring Architecture Linux zest for security](https://reader035.vdocuments.net/reader035/viewer/2022081816/56649f1c5503460f94c329b0/html5/thumbnails/10.jpg)
Lemona – Linux Enhanced Monitoring Architecture 10 2008-09-19 Laventure / Malvert
Outline
• Security and Forensics– Forensics– Computer Security– Computer Forensics
• Related Work
• Lemona– Project– Overview– Architecture
• References
![Page 11: Kenfe-Mickael Laventure Laurent Malvert Macquarie University 2008-09-19 LEMONA Linux Enhanced Monitoring Architecture Linux zest for security](https://reader035.vdocuments.net/reader035/viewer/2022081816/56649f1c5503460f94c329b0/html5/thumbnails/11.jpg)
Lemona – Linux Enhanced Monitoring Architecture 11 2008-09-19 Laventure / Malvert
Lemona > Project
• Open Architecture– Open Protocols– Open Source Implementation
• Decentralized– Local Tracing Components– Remote Monitoring Components
• Prevention, Detection, Forensics, Recovery– Possible…?
![Page 12: Kenfe-Mickael Laventure Laurent Malvert Macquarie University 2008-09-19 LEMONA Linux Enhanced Monitoring Architecture Linux zest for security](https://reader035.vdocuments.net/reader035/viewer/2022081816/56649f1c5503460f94c329b0/html5/thumbnails/12.jpg)
Lemona – Linux Enhanced Monitoring Architecture 12 2008-09-19 Laventure / Malvert
Lemona > Overview
• Exhaustiveness– Kernel Land Tracer 100% User Land Coverage
• Integrity– Harder to bypass Would require Kernel Level code– Integrity Checks
• Flexible– Variable Granularity Levels– Selectable Hooks
![Page 13: Kenfe-Mickael Laventure Laurent Malvert Macquarie University 2008-09-19 LEMONA Linux Enhanced Monitoring Architecture Linux zest for security](https://reader035.vdocuments.net/reader035/viewer/2022081816/56649f1c5503460f94c329b0/html5/thumbnails/13.jpg)
Lemona – Linux Enhanced Monitoring Architecture 13 2008-09-19 Laventure / Malvert
Lemona > ArchitectureUser Application
SysCall
Entry
Execution
Return
Memory Mapped File
Open
Read/Write Page Fault
Close
Inside Attackers
Outside Attackers
TargetStorage Point
Forensics Tools
Lemona tracestransmission
Architecture >
^Workflow / Hooks
![Page 14: Kenfe-Mickael Laventure Laurent Malvert Macquarie University 2008-09-19 LEMONA Linux Enhanced Monitoring Architecture Linux zest for security](https://reader035.vdocuments.net/reader035/viewer/2022081816/56649f1c5503460f94c329b0/html5/thumbnails/14.jpg)
Lemona – Linux Enhanced Monitoring Architecture 14 2008-09-19 Laventure / Malvert
Outline
• Security and Forensics– Forensics– Computer Security– Computer Forensics
• Related Work
• Lemona– Project– Overview– Architecture
• References
![Page 15: Kenfe-Mickael Laventure Laurent Malvert Macquarie University 2008-09-19 LEMONA Linux Enhanced Monitoring Architecture Linux zest for security](https://reader035.vdocuments.net/reader035/viewer/2022081816/56649f1c5503460f94c329b0/html5/thumbnails/15.jpg)
Lemona – Linux Enhanced Monitoring Architecture 15 2008-09-19 Laventure / Malvert
References > Lemona
[home] http://lemona.googlecode.com/
[blog] http://lemona-project.blogspot.com/
[wiki] http://lemona.googlecode.com/wiki/
[SCM] http://lemona.googlecode.com/svn/
[group] http://groups.google.com/group/lemona/
![Page 16: Kenfe-Mickael Laventure Laurent Malvert Macquarie University 2008-09-19 LEMONA Linux Enhanced Monitoring Architecture Linux zest for security](https://reader035.vdocuments.net/reader035/viewer/2022081816/56649f1c5503460f94c329b0/html5/thumbnails/16.jpg)
Lemona – Linux Enhanced Monitoring Architecture 16 2008-09-19 Laventure / Malvert
References > Related
– SARMORIA, C. G. & CHAPIN, S. J. (2005)Monitoring access to shared memory-mapped files.Proc. of the 2005 Digital Forensics Research Workshop (DFRWS). New Orleans.
– GOEL, A., FENG, W. C., MAIER, D. & WALPOLE, J. (2005)Forensix: a robust, high-performance reconstruction system.Distributed Computing Systems Workshops, 2005. 25th IEEE International Conference on, 155-162.
– KRISHNAKUMAR, R. (2005)Kernel korner: kprobes-a kernel debugger.Linux Journal, 2005.