surgical recovery from kernel-level rootkit installations · surgical recovery from ... linux based...
TRANSCRIPT
![Page 1: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/1.jpg)
1Julian GrizzardDEFCON 13
Surgical Recovery fromKernel-Level Rootkit Installations
Linux Based Systems
Julian Grizzard
July 2005
DEFCON THIRTEEN
![Page 2: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/2.jpg)
2Julian GrizzardDEFCON 13
Latest Slides and Tools
PLEASE DOWNLOAD THE LATEST SLIDES AND TOOLS
[ Latest slides available ]http://www.ece.gatech.edu/research/labs/nsa/presentations/dc13_grizzard.pdf
[ Latest system call table tools ]http://www.ece.gatech.edu/research/labs/nsa/sct_tools.shtml
[ Latest spine architecture work ]http://www.ece.gatech.edu/research/labs/nsa/spine.shtml
![Page 3: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/3.jpg)
3Julian GrizzardDEFCON 13
Problem
What does a rootkit do?• Retain Access
– Trojan sshd client with hard coded user/pass for rootaccess
– Initiate remote entry by specially crafted packetstream
• Hide Activity– Hide a process including resource usage of process– Hide malicious rootkit kernel modules from lsmod
![Page 4: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/4.jpg)
4Julian GrizzardDEFCON 13
Most Widely Accepted Solution
Format and Reinstall
![Page 5: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/5.jpg)
5Julian GrizzardDEFCON 13
Monolithic Operating System
![Page 6: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/6.jpg)
6Julian GrizzardDEFCON 13
Kernel Space
![Page 7: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/7.jpg)
7Julian GrizzardDEFCON 13
User Space
![Page 8: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/8.jpg)
8Julian GrizzardDEFCON 13
Microkernel Operating System
![Page 9: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/9.jpg)
9Julian GrizzardDEFCON 13
Microkernel Operating System
![Page 10: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/10.jpg)
10Julian GrizzardDEFCON 13
Microkernel Operating System
![Page 11: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/11.jpg)
11Julian GrizzardDEFCON 13
Intel Descriptor Privilege Level
• Level 3– Minimal hardware access– User space processes run at
level 3• Level 2
– Limited hardware access– N/A in Linux
• Level 1– Limited hardware access– N/A in Linux
• Level 0– Unlimited hardware access– Kernel space threads run at
level 0
Kernel Space
User Space
![Page 12: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/12.jpg)
12Julian GrizzardDEFCON 13
Testing Privilege Level - User (R3)
#include <stdio.h>#include <stdint.h>
int main(){ uint16_t cs_reg; asm("mov %%cs,%0" : "=m" (cs_reg)); cs_reg = cs_reg & 0x0003; printf("ring: %d\n", cs_reg);
return 0;}
![Page 13: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/13.jpg)
13Julian GrizzardDEFCON 13
Testing Privilege Level - User (R3)
![Page 14: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/14.jpg)
14Julian GrizzardDEFCON 13
Testing CPL - Kernel (R0)
#include <linux/module.h>#include <linux/kernel.h>#include <linux/init.h>
static int __init get_cpl_init(void){ uint16_t cs_reg; asm("mov %%cs,%0" : "=m" (cs_reg)); cs_reg = cs_reg & 0x0003; printk(KERN_ALERT "ring: %d\n", cs_reg);
return 0;}
static void __exit get_cpl_exit(void){}
module_init(get_cpl_init);module_exit(get_cpl_exit);
![Page 15: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/15.jpg)
15Julian GrizzardDEFCON 13
Testing CPL - Kernel (R0)
![Page 16: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/16.jpg)
16Julian GrizzardDEFCON 13
User-Level Rootkit AttacksModify/replace system binaries
e.g. ps, netstat, ls, top, passwd
![Page 17: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/17.jpg)
17Julian GrizzardDEFCON 13
User-Level Rootkit AttacksModify/replace system binaries
e.g. ps, netstat, ls, top, passwd
![Page 18: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/18.jpg)
18Julian GrizzardDEFCON 13
Kernel-Level Rootkit AttacksModify running kernel code and data structures
![Page 19: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/19.jpg)
19Julian GrizzardDEFCON 13
Example 1 (System Call Table)
![Page 20: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/20.jpg)
20Julian GrizzardDEFCON 13
0x80ith IDT Entry Lookup
![Page 21: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/21.jpg)
21Julian GrizzardDEFCON 13
System Call Handler
![Page 22: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/22.jpg)
22Julian GrizzardDEFCON 13
System Call Lookup
![Page 23: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/23.jpg)
23Julian GrizzardDEFCON 13
System Call Executes
![Page 24: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/24.jpg)
24Julian GrizzardDEFCON 13
Attack Points
![Page 25: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/25.jpg)
25Julian GrizzardDEFCON 13
Manual Recovery Algorithm
1) Copy clean system calls to kernel memory(get from kernel image with modified gdb)
2) Create new system call table3) Copy system call handler to kmem (set new
SCT)4) Query the idtr register (interrupt table)5) Set 0x80ith entry to new handler
![Page 26: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/26.jpg)
26Julian GrizzardDEFCON 13
Copying Kernel Functions
• Some trickery involved with algorithm• x86 code has call instructions with a
relative offset parameter• Could recompile the code• Chose to recompute relative offset and
modify the machine code
![Page 27: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/27.jpg)
27Julian GrizzardDEFCON 13
/dev/kmem Details from SucKIT
• SucKIT accesses kernel memory fromuser space
• Redirects entire system call table• How does sucKIT find the system call
table?• How does sucKIT allocate kernel
memory?
![Page 28: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/28.jpg)
28Julian GrizzardDEFCON 13
Find System Call Handler
struct idtr idtr;struct idt idt80;ulong old80;
/* Pop IDTR register from CPU */asm("sidt %0" : "=m" (idtr));
/* Read kernel memory through /dev/kmem */rkm(fd, &idt80, sizeof(idt80), idtr.base +0x80 * sizeof(idt80));
/* Compute absolute offset of * system call handler for kmem */old80 = idt80.off1 | (idt80.off2 << 16);
![Page 29: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/29.jpg)
29Julian GrizzardDEFCON 13
Find System Call Handler
struct idtr idtr;struct idt idt80;ulong old80;
/* Pop IDTR register from CPU */asm("sidt %0" : "=m" (idtr));
/* Read kernel memory through /dev/kmem */rkm(fd, &idt80, sizeof(idt80), idtr.base +0x80 * sizeof(idt80));
/* Compute absolute offset of * system call handler for kmem */old80 = idt80.off1 | (idt80.off2 << 16);
![Page 30: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/30.jpg)
30Julian GrizzardDEFCON 13
Find System Call Handler
struct idtr idtr;struct idt idt80;ulong old80;
/* Pop IDTR register from CPU */asm("sidt %0" : "=m" (idtr));
/* Read kernel memory through /dev/kmem */rkm(fd, &idt80, sizeof(idt80), idtr.base +0x80 * sizeof(idt80));
/* Compute absolute offset of * system call handler for kmem */old80 = idt80.off1 | (idt80.off2 << 16);
![Page 31: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/31.jpg)
31Julian GrizzardDEFCON 13
Find System Call Handler
struct idtr idtr;struct idt idt80;ulong old80;
/* Pop IDTR register from CPU */asm("sidt %0" : "=m" (idtr));
/* Read kernel memory through /dev/kmem */rkm(fd, &idt80, sizeof(idt80), idtr.base +0x80 * sizeof(idt80));
/* Compute absolute offset of * system call handler for kmem */old80 = idt80.off1 | (idt80.off2 << 16);
![Page 32: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/32.jpg)
32Julian GrizzardDEFCON 13
Kmalloc as a System Call (sucKIT)
#define rr(n, x) ,n ((ulong) x)#define __NR_oldolduname 59#define OURSYS __NR_oldolduname#define syscall2(__type, __name, __t1, __t2) \ __type __name(__t1 __a1, __t2 __a2) \ { \ ulong __res; \ __asm__ volatile \ ("int $0x80" \ : "=a" (__res) \ : "0" (__NR_##__name) \ rr("b", __a1) \ rr("c", __a2)); \ return (__type) __res; \ }#define __NR_KMALLOC OURSYSstatic inline syscall2(ulong, KMALLOC, ulong, ulong);
![Page 33: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/33.jpg)
33Julian GrizzardDEFCON 13
Demos
System Call Table ToolsDemonstration
![Page 34: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/34.jpg)
34Julian GrizzardDEFCON 13
System Calls Used for Recovery
• Using /dev/kmem– sys_open, sys_read, sys_write
• Using kernel module– sys_create_module, sys_init_module
Problem: system call table has beenredirected by a rootkit
![Page 35: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/35.jpg)
35Julian GrizzardDEFCON 13
Solution
• Intrusion Recovery System (IRS)– Use spine architecture to minimize chance of
rootkit attack– IRS capable of verifying integrity of system– Contains copy of known good state for entire
system (including kernel) in isolated areacalled statehold
![Page 36: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/36.jpg)
36Julian GrizzardDEFCON 13
Spine - Based on Microkernel
![Page 37: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/37.jpg)
37Julian GrizzardDEFCON 13
Spine - Based on Microkernel
20,000 lines of code - small
![Page 38: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/38.jpg)
38Julian GrizzardDEFCON 13
L4 System Calls (Fiasco)
• 9 IPC Calls– l4_ipc_call, l4_ipc_receive– l4_ipc_reply_and_wait– l4_ipc_send_deceiting, l4_ipc_reply_deciting_and_wait– l4_ipc_send, l4_ipc_wait– l4_nchief– l4_fpage_unmap
• 5 Thread calls– l4_myself– l4_task_new– l4_thread_ex_regs– l4_thread_schedule– l4_thread_switch
![Page 39: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/39.jpg)
39Julian GrizzardDEFCON 13
Spine Architecture
![Page 40: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/40.jpg)
40Julian GrizzardDEFCON 13
Spine Architecture - Microkernel
Use Fiasco L4 implementation
![Page 41: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/41.jpg)
41Julian GrizzardDEFCON 13
Spine Architecture - Guest
L4Linux runs on top of Fiasco
![Page 42: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/42.jpg)
42Julian GrizzardDEFCON 13
Spine Architecture - Processes
User processes run on L4Linux
![Page 43: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/43.jpg)
43Julian GrizzardDEFCON 13
Spine Architecture - Separation
Only Fiasco runs in kernel mode
![Page 44: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/44.jpg)
44Julian GrizzardDEFCON 13
Spine Architecture - IRS
Component of IRS at each level
![Page 45: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/45.jpg)
45Julian GrizzardDEFCON 13
Memory Hierarchy Detail
![Page 46: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/46.jpg)
46Julian GrizzardDEFCON 13
Memory Hierarchy Detail
![Page 47: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/47.jpg)
47Julian GrizzardDEFCON 13
Memory Hierarchy Detail
![Page 48: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/48.jpg)
48Julian GrizzardDEFCON 13
Spine Architecture - Attacking
![Page 49: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/49.jpg)
49Julian GrizzardDEFCON 13
Example 2 (VFS - /proc)
![Page 50: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/50.jpg)
50Julian GrizzardDEFCON 13
Example 2 - Sys Call Uses VFS
![Page 51: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/51.jpg)
51Julian GrizzardDEFCON 13
Example 2 - /proc Filesystem
![Page 52: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/52.jpg)
52Julian GrizzardDEFCON 13
Example 2 - File Operations
![Page 53: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/53.jpg)
53Julian GrizzardDEFCON 13
Example 2 - Read Directory
![Page 54: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/54.jpg)
54Julian GrizzardDEFCON 13
Example 2 - Attacking
![Page 55: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/55.jpg)
55Julian GrizzardDEFCON 13
Recovery Methods
• Manual methods similar to SCT work• Generally, consistency checking on function
pointers and hashing of execution code works• Must maintain a good copy of the known good
state in order to repair• IRS can do it automatically
![Page 56: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/56.jpg)
56Julian GrizzardDEFCON 13
Demos
Intrusion Recovery SystemDemonstration
![Page 57: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/57.jpg)
57Julian GrizzardDEFCON 13
Limitations and Conclusions
• Can an attacker install a microkernel-levelrootkit?
• What if attacker has physical access?• There is no be all end all solution!
However, an IRS can make systems morereliable.
![Page 58: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/58.jpg)
58Julian GrizzardDEFCON 13
Thanks!
• Henry Owen• John Levine• Sven Krasser• Greg Conti• Jonathan Torian• Lawrence Phillips• Jessica Frame• Andrew Davenport• Many more…
![Page 59: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/59.jpg)
59Julian GrizzardDEFCON 13
Links[ Network and Security Architecture website ]http://www.ece.gatech.edu/research/labs/nsa/index.shtml
[ Georgia Tech Information Security Center ]http://www.gtisc.gatech.edu/
[ Fiasco project ]http://os.inf.tu-dresden.de/fiasco/
[ Xen ]http://www.cl.cam.ac.uk/Research/SRG/netos/xen/
[ Samhain Labs ]http://la-samhna.de
[ Chkrootkit ]http://www.chkrootkit.org
[ DaWheel, “So you don’t have to reinvent it!” ]http://www.dawheel.org
![Page 60: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/60.jpg)
60Julian GrizzardDEFCON 13
Questions?Starter Questions:
1. How many have personally dealtwith recovery from a rootkit?
2. Has anyone seen any rootkitsthat use direct memory access?
3. Has anyone ever cleaned a systeminfected with a rootkit without reinstalling?
Julian Grizzardgrizzard AT ece.gatech.edu
![Page 61: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/61.jpg)
61Julian GrizzardDEFCON 13
Additional Slides
Additional Slides ProvidedBeyond this Point
![Page 62: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/62.jpg)
62Julian GrizzardDEFCON 13
User-Level versus Kernel-Level
• User-Level– Modify/replace system binaries– e.g. ps, netstat, ls, top, passwd
• Kernel-Level– Modify/replace kernel process– e.g. system call table
![Page 63: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/63.jpg)
63Julian GrizzardDEFCON 13
Additional Malware Functionality
• Information harvesting– Credit cards– Bank accounts
• Resource usage– Spam relaying– Distributed denial of service
![Page 64: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/64.jpg)
64Julian GrizzardDEFCON 13
Entry Redirection
Original read systemcall. No longerpointed to by SCT.
Trojaned readsystem call. ActiveSCT points to it.
![Page 65: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/65.jpg)
65Julian GrizzardDEFCON 13
Entry Overwrite
System call codeoverwritten; SCT stillintact
![Page 66: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/66.jpg)
66Julian GrizzardDEFCON 13
Table Redirection
Original SCTintact
Original systemcalls intact
Handler points toTrojan table
![Page 67: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/67.jpg)
67Julian GrizzardDEFCON 13
History of Kernel-Level Rootkits
• Heroin – October 1997– First public LKM
• Knark – June 1999– Highly popular LKM
• SucKIT – December 2001– First public /dev/kmem entry
• Adore-ng 0.31 – January 2004– Uses VFS redirection; works on Linux 2.6.X
![Page 68: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/68.jpg)
68Julian GrizzardDEFCON 13
Kernel-Level Rootkit Targets
• System call table• Interrupt descriptor table• Virtual file system layer• Kernel data structures
![Page 69: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/69.jpg)
69Julian GrizzardDEFCON 13
Kernel Entry
• Linux kernel module (LKM)• /dev/kmem, /dev/mem, /dev/port• Direct memory access (DMA)• Modify kernel image on disk
![Page 70: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/70.jpg)
70Julian GrizzardDEFCON 13
System Call Table Modifications
• System calls are the main gateway fromuser space to kernel space
• Most commonly targeted kernel structure• Can redirect individual system calls or the
entire table
![Page 71: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/71.jpg)
71Julian GrizzardDEFCON 13
Example Kernel-Level Rootkits
VFS RedirectionModuleadore-ng
SCT Table Redirectionkmemr.tgz
SCT Table Redirectionkmemzk
SCT Table RedirectionkmemsucKIT
SCT Entry RedirectionModuleadore
SCT Entry RedirectionModuleknark
SCT Entry RedirectionModuleheroin
ModificationKernel EntryRootkit
![Page 72: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/72.jpg)
72Julian GrizzardDEFCON 13
System Call Table Tools
• Developed tools that can query the stateof the system call table and repair it
• Tools based on sucKIT source code andwork from user space
• Algorithm to recover from rootkits issimilar to algorithm used by rootkits
![Page 73: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/73.jpg)
73Julian GrizzardDEFCON 13
Virtual Machines/Hypervisors
• VMware• User Mode Linux• Xen• L4
![Page 74: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/74.jpg)
74Julian GrizzardDEFCON 13
History of Microkernels
• Mach project started at CMU (1985)• QNX• Windows NT• LynxOS• Chorus• Mac OS X
![Page 75: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/75.jpg)
75Julian GrizzardDEFCON 13
Microkernel Requirements
• Tasks• IPC• I/O Support
That’s it!
![Page 76: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/76.jpg)
76Julian GrizzardDEFCON 13
L4 IPC’s
• Fast IPCS• Flexpages• Clans and chiefs• System calls, page faults are IPC’s
![Page 77: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/77.jpg)
77Julian GrizzardDEFCON 13
L4 I/O (from Fiasco lecture slides)
• Hardware interrupts: mapped to IPC– Special thread id for interrupts– IPC sender indicates interrupt source– Kernel provides no sharing support, one thread per interrupt– Malicious driver could potentially block all interrupts if given
access to PIC– Cli/sti only allowed in kernel and trusted servers
• I/O memory and I/O ports: flexpages• Missing kernel feature: pass interrupt association
– Security hole• I/O port access• DMA - big security risk
![Page 78: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/78.jpg)
78Julian GrizzardDEFCON 13
Rmgr (lecture slides)
• Resources --- serves page faults– Physical memory– I/O ports– Tasks– Interrupts
![Page 79: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/79.jpg)
79Julian GrizzardDEFCON 13
Booting the System (lecture slides)
• Modified grub• Multi-boot specification• Rmgr, sigma0, root task (rmgr II), …• IDT
– General Protection Exception #13– Page Fault #14– Divide by zero #0– Invalid opcode #6– System calls Int30 IPC
• Global Descriptor Table (GDT) vs. Local DescriptorTable (LDT)
![Page 80: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/80.jpg)
80Julian GrizzardDEFCON 13
L4 Security Problems?
• Passing interrupt association• Direct memory access• Fill up page mapping database• Kernel accessible on disk• Cli/sti• A few more…
![Page 81: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/81.jpg)
81Julian GrizzardDEFCON 13
Spine Architecture Details
• Uses L4 Fiasco microkernel• L4Linux runs on top of microkernel• User tasks run on L4Linux• Intrusion recovery system consists of
levels 0 through 3
![Page 82: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/82.jpg)
82Julian GrizzardDEFCON 13
L4Linux
• Port of Linux kernel to L4 architecture• “paravirtualization” vs. pure virtualization• Linux kernel runs in user space• Binary compatible
![Page 83: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/83.jpg)
83Julian GrizzardDEFCON 13
Intrusion Recovery System
• Capable of recovering from rootkitinstallations
• Maintain a copy of known good state toverify system integrity and repair if needed
• Must be integral part of operating system
![Page 84: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/84.jpg)
84Julian GrizzardDEFCON 13
IRS Cont…
• Intrusion detection system is part of IRS– Must be able to detect that an intrusion has occurred
in order to recover from it• Most difficult part of problem is verifying system
integrity– How to verify data structures, config files, etc.
• Another important challenge is verifying integrityof IRS itself– Malware has been known to disable IDS’s
![Page 85: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/85.jpg)
85Julian GrizzardDEFCON 13
Multi-Level IRS Reasoning
• Difficult to monitor state of entire systemfrom one vantage point
• Difficulty comes in bridging the semanticgap between layers of the system
• We use a multi-level approach
![Page 86: Surgical Recovery from Kernel-Level Rootkit Installations · Surgical Recovery from ... Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN. DEFCON 13 Julian Grizzard 2](https://reader033.vdocument.in/reader033/viewer/2022051813/6033423517f4ef372e0aff18/html5/thumbnails/86.jpg)
86Julian GrizzardDEFCON 13
Multi-Leveled IRS Detail
• L3 - verify file system state and repair if needed• L2 - kernel module to verify integrity of L4Linux
and L3 and repair if needed• L1 - microkernel modifications to verify state of
L2 and repair if needed; also provides securestorage for known good state
• L0 - hardware support for maintaining isolationand verifying L1 (more hardware needed)