Pit falls of Linux Loadable Kernel Modules LKMs - PowerPoint PPT Presentation

1 / 33
About This Presentation
Title:

Pit falls of Linux Loadable Kernel Modules LKMs

Description:

LKMs Counter Hacks. Pit falls of Linux Loadable Kernel Modules ... LKM Counter Hacks. Pit falls of Linux Loadable Kernel ... But still hacks are possible ... – PowerPoint PPT presentation

Number of Views:427
Avg rating:3.0/5.0
Slides: 34
Provided by: foss
Category:

less

Transcript and Presenter's Notes

Title: Pit falls of Linux Loadable Kernel Modules LKMs


1
Pit falls of Linux Loadable Kernel Modules
(LKMs)
  • Biswajit Paul Dinakara K
  • biswajit, dinu _at_cair.res.in
  • CAIR ( DRDO )
  • Bangalore, INDIA

2
Overview
Pit falls of Linux Loadable Kernel
Modules (LKMs)
PART I Introduction to LKM PART II
Hacking using LKMs PART III LKMs
Counter Hacks
3
Pit falls of Linux Loadable Kernel Modules
(LKMs)
PART I Introduction to LKM
4
Module Basics
Pit falls of Linux Loadable Kernel Modules
(LKMs)
  • Linux Loadable Kernel Modules (LKMs)
    is a frame work allows one to add or remove
    code, on-the-fly into the running kernel.
  • Why this frame work ?
  • To take the advantage of micro kernel
    design and at the same time retaining the
    advantage of monolithic kernel.
  • Most systems do not use all kernel
    function all the time.Loadable modules allow for
    kernel function which are used less to be loaded
    and unloaded as and when required. Eg device
    drivers.
  • Advantage
  • Smaller than a monolithic kernel so saves
    Kernel memory.
  • Kernel can be modified on the fly without
    recompiling it.

5
A sample LKM
Pit falls of Linux Loadable Kernel Modules
(LKMs)
include include int init_module(void) / Use for all
initialization / printk(KERN_INFO \n The
LKM is loaded\n") return 0 void
cleanup_module(void) / Use for clean shutdown
/ printk(KERN_INFO \n The LKM is removed
\n) Compile gcc D__KERNEL__ -DMODULE c
Wall I /usr/src/linuc/include lkm.c
6
Useful Macros admin utilites
Pit falls of Linux Loadable Kernel Modules
(LKMs)
Macros MODULE_AUTHOR( Biswajit and
Dinakara) MODULE_DESCRIPTION(Test
LKM) MODULE_LICENCE(GPL) MODULE_PARAM(modu
le_name,param_1) EXPORT_SYMBOL(symbol_1)
ADMIN Utilities Insert insmod/modprobe/kerneld
Remove rmmod
View lsmod Dependency
depmod Information modinfo, ksyms
7
Internals of LKM
Pit falls of Linux Loadable Kernel Modules
(LKMs)
A module In disk Its an ELF object
file. ELF object sections .text, .rodata,etc
.modinfo Kernel release number, module param
etc. __ksymtab and .kstrtab Together list the
symbols in the LKM. In Memory Stored as a
doubly link list with each node containing
module object and code implementation the various
functions of the mod. const char name
Pointer to module name unsigned long
size Module size
struct module_symbol syms Table of exported
symbols int ()(void)init
Initialization method void
()(void)cleanup Cleanup method
atomic_t uc.usecount Module usage counter
8
Pit falls of Linux Loadable Kernel
Modules (LKMs)
Internals of LKM
  • Loading
  • Initialization create_module (name, size )
  • Scan module list find_module( )
    Allocate Memory vmalloc( )
    Initialize the fields of the module object.
    Inserts the module object
    into the module_list Returns the starting
    address of the memory allocated.
  • Linking query_module (QM_SYMBOLS )
  • Get the kernel symbol table and the
    symbol tables of all modules . Resolve
    external symbol and relocate
  • Loading init_module (user_mem_addr) Copy the
    object code into the kernel space from user mode

9
Pit falls of Linux Loadable Kernel
Modules (LKMs)
PART II Hacking Using LKM
10
Who gains what and how?
Pit falls of Linux Loadable Kernel Modules
(LKMs)
Information Gathering
Hide files directories Hide program in
running Hide Open Socket Connection Always give
root privilege Collect password used over the
network
Retaining Access
Attack Launching
Fig Phases of typical cyber attack
How 1. LKMs, 2. Library wrapper for
system call 3. /dev/kmem 4. vmlinuz,
11
How LKM is exploited ?
Pit falls of Linux Loadable Kernel Modules
(LKMs)
Replacing critical kernel function call with the
malicious function. Function call replacement
Using jump instruction. (code
section) Modifying function pointer/
pointer vector (data section) Address fetching
kernel variable / function
Kernel Symbol Table
Dynamic (EXPORT)
Static (ALL)
/proc/ksyms
/boot/System.map
12
System call replacement using LKM framework
Pit falls of Linux Loadable Kernel Modules
(LKMs)
Replacing critical system call with the
malicious call.
User Space Utilities ( ls, ps, netstat, su )
User Space
System Library
Kernel Space
System Call (SYS_stat, SYS_getuid
1
2
Original System call handler
252
New System call handler
Sys_call_table
13
System Call Replacement
Pit falls of Linux Loadable Kernel Modules
(LKMs)
include include
include   int sys_call_table
int
(org_syscall)(arg1, arg2, )   int
new_syscall(arg1, arg2,) / Manupulate Here
/ return(0) int init_module(void) org_
syscallsys_call_tableSYSCALL NO sys_call_tab
leSYSCALL NOnew_syscall return(0)   void
cleanup_module(void) sys_call_tableSYSCALL
NOorg_syscall
14
Issues in resolving sys_call_table symbol
Pit falls of Linux Loadable Kernel
Modules (LKMs)
  • If it is exported (kernel
  • cat /proc/ksymsegrep
    sys_call_table )
  • let insmod resolve the symbol while
    loading
  • II If /boot/System.map is available
  • cat /boot/System.map egrep
    sys_call_table )
  • and hardcode the address found
  • III Sys_call_tablesystem_utsname
  • while(I1000)
  • if(sys_table__NR_read (unsigned
    long)sys_read)
  • sys_call_tablesys_table flag1 break
    i-- sys_table

15
Pit falls of Linux Loadable Kernel Modules
(LKMs)
Examples
16
Hack 1 Hiding File Name
Pit falls of Linux Loadable Kernel
Modules (LKMs)
System Call to be replaced sys_getdents
int new_sys_getdents (unsigned int fd, struct
dirent dirp, unsigned int cnt ) / Pseudo
code / if( dirp-d_name matches
with hide_file) return(0) else call
orginal sys_getdents return(0)
17
Hack 2 Hiding Full File Contents
Pit falls of Linux Loadable Kernel Modules
(LKMs)
System Call to be replaced sys_open
int new_sys_open ( const char pathname, int
flag, mode_t mode) / Pseudo code /
if( pathname matches with hide_file)
return(0) else call orginal sys_open
return(0)
18
Hack 3 Filtering data while writing into File
Pit falls of Linux Loadable Kernel
Modules (LKMs)
System Call to be replaced sys_write
int new_sys_write (unsigned int fd, char buf,
unsigned int count) / Pseudo code /
if( buff matches with pattern)
return(0) else call orginal sys_write
return(0)
19
Hack 4 Avoid any file ownership Check
Pit falls of Linux Loadable Kernel
Modules (LKMs)
System Call to be replaced sys_getuid
int new_sys_getuid (uid_t uid) / Pseudo
code / if (uid MAGICUID) current-uid
0current-euid 0 /(SuperUser)/
current-gid 0 current-egid 0
return
0 else call orginal sys_write return(0)
20
Hack 5 Process Hiding
Pit falls of Linux Loadable Kernel
Modules (LKMs)
System Call to be replaced sys_getdents
/ Pseudo code / scan task structure to get
PID from process name. Hide the
directory corresponding to the PID in /proc.
21
Hack 6 Hiding Open Socket Connection
Pit falls of Linux Loadable Kernel
Modules (LKMs)
System Call to be replaced None
/ Pseudo code / Goto the /proc/net/tcp
file. Modily the seq_show field of tcp_seq_afinfo
structure
22
Hack 7 Hiding our LKM
Pit falls of Linux Loadable Kernel
Modules (LKMs)
System Call to be replaced sys_init_module
int new_init_module() / Pseudo code
/ register struct module mp asm("ebp")
(char)mp-name0 mp-size0 mp-ref0
23
Code Injection Methods
Pit falls of Linux Loadable Kernel Modules
(LKMs)
  • Stand alone Module
  • Embedding within another module
  • How to Embed a module within another
    Modifying .kstrtab
  • gcc eepro100.o my_mod.o o eepro100.o
  • objdump -t test.o SYMBOL TABLE
  • 0000000000000000 g F .text
    0000000000000014 init_module 0000000000000028 g
    F .text 0000000000000014 cleanup_module
    0000000000000014 g F .text 0000000000000014
    evil_module
  • module-init obj_symbol_final_value(f,
    obj_find_symbol(f,"init_module"))
    module-cleanup obj_symbol_final_value(f,obj_find
    _symbol(f,"cleanup_module"))

24
Pit falls of Linux Loadable Kernel
Modules (LKMs)
PART III LKM Counter Hacks
25

Pit falls of Linux Loadable Kernel
Modules (LKMs)
Detection Techniques
The first step to combat malicious LKMs is
to detect them Check for simple anomalies
Bandwidth usage

diskspace
syslog entries
directories with names like " Look for known
"signatures" in system binaries effected by
trojans like Adore, Knark Eg. dev/ptyp
entry in ps command, CGI attacks, SMB
probes Tools like chkrootkit , rkscan
work on this technique
26

Pit falls of Linux Loadable Kernel
Modules (LKMs)
Detection Techniques
Entities likely to get modified by illegal
LKMs Commands like ps, ls, cd, netstat, and
others Critical function pointer
tables (eg. sys_call_table). Kernel text
section Integrity changes of the above entities
can be detected by their altered
fingerprints Instruction counts per system
call
27

Pit falls of Linux Loadable Kernel
Modules (LKMs)
Detection Techniques
Tracking behavioral Anomalies i) module
containing instruction that performs a write
operation to an illegal memory area ii)
module having instructions to refer forbidden
kernel symbols for calculating address in
the kernels address space and performs a
write operation using this address.
28
Pit falls of Linux Loadable Kernel
Modules (LKMs)
Prevention Techniques
Compile the kernel without LKMs -- But
still hacks are possible using /dev/kmem LKM
module to monitor the system and prevent
unauthorized LKMs Look for evidence of
the rootkit Eliminate
it Format the hard drive Rel
oad the OS and Restore the data from
backup
29
Pit falls of Linux Loadable Kernel
Modules (LKMs)
Prevention Techniques
The LIDS philosophy View Linux as a set of
subjects and objects Subjects (programs) are
given rights to access objects (files,
directories, devices, network) and to perform
some operations The rights can also be
restricted by time There is also a set
of global capabilities There are several
kernel patches implemented on MAC model aimed
at increasing security like LoMac, NSA
Security Enhanced Linux
30

Pit falls of Linux Loadable Kernel
Modules (LKMs)
Prevention Techniques
How about cryptographic solutions ?

Request
Kernel with
public
key
Allow
User space
Kernel space
Proper configuration and right locations are the
key for Security
31

Pit falls of Linux Loadable Kernel
Modules (LKMs)
Prevention Techniques
Proper configuration is the key for
Security
32
References
Pit falls of Linux Loadable Kernel
Modules (LKMs)
1. Malware Fighting Malicious Code
by Ed Skoudis, Lenny Zeltser
Publisher Prentice Hall PTR
2. Network Security Tools by Justin Clarke,
Nitesh Dhanjani Publisher O'Reilly 3.
Rootkits Subverting the Windows Kernel by
Greg Hoglund, James Butler
Publisher Addison Wesley Professional
4. Host Intrusion Detection System Based on
Hardware and Software checksums by
Dinakara K., Biswajit Paul and A.V.Sahadevan, IT
Networks for NAVY conference conducted by CII,
New Delhi, 21-22 December 2004
5. (nearly) Complete Linux Loadable Kernel
Modules ( packetstormsecurity.org/docs/h
ack/LKM_HACKING.html ) 6.
http//phrack.org 7. http//packetstorm.secu
rify.com
33
  • Thank You

Biswajit Paul Dinakara K biswajit, dinu
_at_cair.res.in CAIR ( DRDO ) Bangalore, INDIA
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Pit falls of Linux Loadable Kernel Modules LKMs" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!