undermining the linux kernel
play

Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem - PowerPoint PPT Presentation

Nov 17, 2023 •106 likes •638 views

Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem Anthony Lineberry anthony.lineberry@gmail.com Black Hat Europe 2009 Overview What is a rootkit? Why is protec:on difficult? Current protec:on mechanisms/bypasses

  1. Undermining the Linux Kernel: Malicious Code Injec:on via /dev/mem Anthony Lineberry anthony.lineberry@gmail.com Black Hat Europe 2009

  2. Overview • What is a rootkit? • Why is protec:on difficult? • Current protec:on mechanisms/bypasses • Injec:on via /dev/mem • Fun things to do once you’re in • Proposed solu:ons

  3. Part I Rootkit?

  4. What is a rootkit? • Way to maintain access (regain “root” aVer successful exploita:on) • Hide files, processes, etc • Control ac:vity – File I/O – Network • Keystroke Logger

  5. Types of rootkits • User‐Land (Ring 3) – Trojaned Binaries (oldest trick in the book) • Binary patching • Source code modifica:on – Process Injec:on/Thread Injec:on • PTRACE_ATTACH, SIGNAL injec:on – Does not affect stability of system

  6. Types of rootkits • Kernel‐Land (Ring 0) – Kernel Modules/Drivers – Hot Patching memory directly! (we’ll get to that ;)

  7. Part II Why are rootkits hard to defend against?

  8. Why so hard? • Can control most everything in the system – System Calls cant be trusted – Network traffic – Can possibly detect if you are trying to detect it

  9. Why so hard? • Most modern rootkits live in the kernel • Kernel is God – Imprac:cal to check EVERYTHING inside kernel • Speed hits – Built in security can be circumvented by more kernel code (if an afacker can get code in, game over)

  10. Part III Current Rootkit Defense

  11. Current Defense • Checking Tables in kernel (sys_call_table, IDT, etc) – Compares tables against known good – Can be bypassed by crea:ng duplicate table to use rather than modifying the main table – Typical security cat and mouse game

  12. Current Defense • Hashes/Code Signing – In kernel • Hash cri:cal sec:ons of code • Require signed kernel modules – In userland • Hashes of system binaries – Tripwire, etc • Signed binaries • File System Integrity

  13. Current Defense • Non‐Modularity – Main suggested end all way to stop kernel space rootkits (obviously this is a fail) – /dev/kmem was previously used in a similar fashion, but read/write access has since been closed off in kernel mainline

  14. Part IV Code Injec:on via /dev/mem

  15. What is /dev/mem? • /dev/mem – Driver interface to physically addressable memory. – lseek() to offset in “file” = offset in physical mem • EG: Offset 0x100000 = Physical Address 0x100000 – Reads/Writes like a regular character device • Who needs this? – X Server (Video Memory & Control Registers) – DOSEmu

  16. Hijacking the kernel Kernel addressing is virtual. How do we translate to physical addresses?

  17. Address Transla:on • Find a Page Table Directory (stored in cr3 register) – Pros: • Guaranteed to be able to locate any physical page • Mi:gates page alloca:on randomiza:on situa:ons • Allows us to find physical pages of process user space

  18. Address Transla:on • Find a Page Table Directory (stored in cr3 register) – Cons: • Finding one is easier said than done • Heuris:c could be developed for loca:ng PTD in task struct, but there are easier ways.

  19. Address Transla:on • Higher half GDT loading concept applies • Bootloader trick to use Virtual Addresses along with GDT in unprotected mode to resolve physical addresses. – Kernel usually loaded at 0x100000 (1MB) in physical memory – Mapped to 0xC0100000 (3GB+1MB) Virtually

  20. Address Transla:on 0x40000000 GDT Base Address + 0xC0100000 Kernel Virtual Address = 0x00100000 Physical Address

  21. Address Transla:on • Obviously over thinking that… • No need to wrap around 32bit address, just subtract. – 0xC0100000 – 0xC0000000 = 0x100000 • If page alloca:on randomiza:on existed, this trick would not be possible

  22. Hijacking the kernel #define KERN_START 0xC0000000 int read_virt(unsigned long addr, void *buf, unsigned int len) { if(addr < KERN_START) return -1; /* addr is now physical address */ addr -= KERN_START; lseek(memfd, addr, SEEK_START); return read(memfd, buf, len); }

  23. Useful structures • Determine offset to important structures – IDT – sys_call_table – kmalloc() • Where are they?

  24. IDT • Interrupt Descriptor Table (IDT) – Table of interrupt handlers/call gates – 0x80’th handler entry = Syscall Interrupt • What can we do with it? – Replace Interrupt Handlers • Hardware: Network Cards, Disks, etc • SoVware: System Calls,

  25. IDTR • IDTR holds structure with address of IDT – Get/Set IDTR with LIDT/SIDT assembly instruc:ons – Unlike LIDT instruc:on, SIDT is not protected and can be executed from user space to get IDT address. – Wont work in most VM’s • Hypervisors return bogus IDT address

  26. IDTR IDTR Structure Base Address (4 btyes) Limit (2 bytes) struct { uint32_t base; uint16_t limit; } idtr; __asm__(“sidt %0” : “=m”(idtr));

  27. IDT Entry IDT Entry (8 bytes) 0 16 31 Low 16bits of Handler Address Code Segment Selector Flags High 16bits of Handler Address

  28. IDT IDT idtr.base

  29. IDT IDT idtr.base idtr.base + (0x80 * 8) Entry for Syscall Interrupt

  30. IDT IDT idtr.base idtr.base + (0x80 * 8) Entry for Syscall Interrupt system_call()

  31. System Calls • system_call() – Main entry point for system calls • sys_call_table – Array of func:on pointers – sys_read(), sys_write(), etc

  32. System Calls • Syscall Number stored in EAX register call ptr 0x????????(eax,4) – 0x???????? Is the address of sys_call_table • Opcode for instruc:on: FF 14 85 ?? ?? ?? ?? – Read in memory at system_call(), search for byte sequence “\xFF\x14\x85”. Next 4 following bytes are address of sys_call_table!

  33. Hijacking the kernel • Now we can: – Find IDT – Find system_call() handler func:on – Use simple heuris:c to find address of sys_call_table • What now? – Overwrite system calls with our own code!

  34. Hijacking the kernel • Where do we put our code? – Kernel Memory Pool • Traverse malloc headers looking for free blocks • Not atomic opera:on, cant guarantee we’ll beat kernel – Certain “guard pages” in kernel – Allocate space in the kernel • We can locate __kmalloc() inside the kernel and call that

  35. Hijacking the kernel • Finding __kmalloc() – Use heuris:cs push GFP_KERNEL push SIZE call __kmalloc – Find kernel symbol table • Search for “\0__kmalloc\0” in memory • Find reference to address of above sequence then subtract 4 bytes from loca:on

  36. Hijacking the kernel • How can we allocate kernel memory from userspace? – Locate address of __kmalloc() in kernel space – Overwrite a system call with code to call __kmalloc() – Call system call – Someone else could poten:ally call the same system call and cause system instability

  37. Func:on Clobbering sys_uname() Backup Buffer sys_call_table __NR_uname __kmalloc stub push $0xD0 ;GFP_KERNEL push $0x1000 ; 4k mov 0xc0123456, %ecx call %ecx ret

  38. Func:on Clobbering sys_uname() Backup Buffer sys_call_table 100 bytes __NR_uname __kmalloc stub push $0xD0 ;GFP_KERNEL push $0x1000 ; 4k mov 0xc0123456, %ecx call %ecx ret

  39. Func:on Clobbering sys_uname() Backup Buffer sys_call_table 100 bytes __NR_uname __kmalloc stub push $0xD0 ;GFP_KERNEL push $0x1000 ; 4k mov 0xc0123456, %ecx call %ecx ret

  40. Func:on Clobbering sys_uname() Backup Buffer sys_call_table 100 bytes __kmalloc stub __NR_uname

  41. Hijacking the kernel • Call sys_uname() unsigned long kernel_buf; __asm__(“mov $122, %%eax \n” “int $0x80 \n” “mov %%eax, %0 ” : “=r”(kernel_buf)); • Address of buffer allocated in kernel space returned by syscall in EAX register

  42. Part V Fun things to do inside the kernel

  43. Hijacking the kernel • Recap: – read/write anywhere in memory with /dev/mem – sys_call_table – Kernel alloca:on capabili:es – Time to have fun!

  44. Hijacking the kernel • What can we do? – Use our kernel buffers we allocated to store raw executable code. – Overwrite func:on pointers in kernel with address of our allocated buffers • sys_call_table entries, page fault handler code – Setup code to use Debug registers to “hook” system call table

  45. Hijacking the kernel • What can we do with our injected code? – Anything most other rootkits can do. • Hide files, processes, etc • Control network ac:vity • Limita:ons – All injected code must usually be handwrifen assembly – Some structures/func:ons can be difficult to locate in memory

  46. Part V Solu:ons/Mi:ga:on

  47. Solu:ons • Why does a legi:mate user process need access to read anything from above 16k in physical memory? – SELinux has created a patch to address this problem (RHEL and Fedora kernels are safe) – Modifies mem driver to disallow lseeks past 16k

  48. Solu:ons Mainline kernel has addressed this as of 2.6.26!

  49. Solu:ons Mainline kernel has addressed this as of 2.6.26! Sort of…

  50. Solu:ons • Added func:ons in kernel – range_is_alloc() • Checks each page in range of address space being accessed – devmem_is_allowed() • Called by range_is_allowed() • Checks if address is within first 256 pages (1MB)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many of us need to debug the Linux kernel Proprietary tools like Trace32 and DS-5 are $$$ Open source debuggers like GDB lack kernel

884 views • 40 slides
Intro to Linux Kernel Programming Don Porter Lab 4 You will write a Linux kernel module

Intro to Linux Kernel Programming Don Porter Lab 4 You will write a Linux kernel module

Intro to Linux Kernel Programming Don Porter Lab 4 You will write a Linux kernel module Linux is written in C, but does not include all standard libraries And some other idiosyncrasies This lecture will give you a crash

1.35k views • 22 slides
1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research Thats unavoidable, but the linux kernel developers dont do very much to make the situation any better. -- Basically, the

625 views • 36 slides
Hacking on Xen in the Linux Kernel Lisa Nguyen, Linux Kernel Intern FOSS Outreach Program for

Hacking on Xen in the Linux Kernel Lisa Nguyen, Linux Kernel Intern FOSS Outreach Program for

Hacking on Xen in the Linux Kernel Lisa Nguyen, Linux Kernel Intern FOSS Outreach Program for Women LinuxCon North America 2013 Agenda Introduction What Got Me Interested in OPW Project Overview Xen Block Ring Protocol

922 views • 13 slides
Introduction to Linux Kernel Modules Luca Abeni luca.abeni@santannapisa.it Linux Kernel Modules

Introduction to Linux Kernel Modules Luca Abeni luca.abeni@santannapisa.it Linux Kernel Modules

Introduction to Linux Kernel Modules Luca Abeni luca.abeni@santannapisa.it Linux Kernel Modules Kernel module: code that can be dynamically loaded/unloaded into the kernel at runtime Change the kernel code without needing to reboot

545 views • 13 slides
GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The GNU userland consists of libc, the init system (SystemD) X11 GUI toolkits etc. Ask the audience Who has used

442 views • 22 slides
. Kernel The Variability Model of the Linux Extra Conclusions Linux Study Introduction .

. Kernel The Variability Model of the Linux Extra Conclusions Linux Study Introduction .

. Krzysztof Czarnecki, Andrzej Wsowski The Variability Model of the Linux Kernel . . January 26, 2010 IT University of Copenhagen University of Leipzig University of Waterloo Steven She, Rafael Lotufo, Thorsten Berger, . Kernel The

928 views • 39 slides
Linux Kernel Security &amp; Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux

Linux Kernel Security &amp; Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux

Linux Kernel Security &amp; Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux Kernel Widespread Deployed on: powerful (high performance compute clusters) sensitive (bank, gov. systems, ..) safety critical

995 views • 29 slides
Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

3/1/20 COMP 790: OS Implementation COMP 790: OS Implementation Logical Diagram Binary Memory Threads Formats Allocators User Todays Lecture Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

647 views • 8 slides
Linux Kernel Debugging Linux Kernel Debugging Advanced Operating Systems 2018/2019

Linux Kernel Debugging Linux Kernel Debugging Advanced Operating Systems 2018/2019

Linux Kernel Debugging Linux Kernel Debugging Advanced Operating Systems 2018/2019 http://d3s.mff.cuni.cz CHARLES UNIVERSITY IN PRAGUE faculty of mathematjcs and physics faculty of mathematjcs and physics Vlastimil Babka vbabka@suse.cz

1.6k views • 62 slides
Normal and Exotic use cases of NUMA features in the Linux Kernel Christopher Lameter, Ph.D.

Normal and Exotic use cases of NUMA features in the Linux Kernel Christopher Lameter, Ph.D.

Normal and Exotic use cases of NUMA features in the Linux Kernel Christopher Lameter, Ph.D. cl@linux.com Collaboration Summit, Napa Valley, 2014 Non Uniform Memory access in the Linux Kernel Memory is segmented into nodes so that

518 views • 12 slides
Making C Less Dangerous in the Linux Kernel Kees Cook | @keescook LINUX.CONF.AU 21-25 January

Making C Less Dangerous in the Linux Kernel Kees Cook | @keescook LINUX.CONF.AU 21-25 January

Making C Less Dangerous in the Linux Kernel Kees Cook | @keescook LINUX.CONF.AU 21-25 January The Linux of Things | #LCA2019 | @linuxconfau 2019 Christchurch, NZ Making C Less Dangerous in the Linux Kernel Linux Conf AU January 25,

505 views • 29 slides
Linux Kernel Debugging Your kernel just oopsed - What do you do, hotshot? Muli Ben-Yehuda

Linux Kernel Debugging Your kernel just oopsed - What do you do, hotshot? Muli Ben-Yehuda

Linux Kernel Debugging Your kernel just oopsed - What do you do, hotshot? Muli Ben-Yehuda mulix@mulix.org IBM Haifa Research Lab Kernel Debugging, Haifux 2003 p.1/19 Kernel Debugging - Why? Why would we want to debug the kernel? after

308 views • 19 slides
service in Linux Kernel Vikas Shivappa (vikas.shivappa@linux.intel.com) 1 Agenda Problem

service in Linux Kernel Vikas Shivappa (vikas.shivappa@linux.intel.com) 1 Agenda Problem

Introduction to Cache Quality of service in Linux Kernel Vikas Shivappa (vikas.shivappa@linux.intel.com) 1 Agenda Problem definition Existing techniques Why use Kernel QOS framework Intel Cache qos support Kernel

1.5k views • 32 slides
Linux Device Drivers Linux Device Drivers Kernel 2.6 1. Introduction Dr. Wolfgang Koch 2.

Linux Device Drivers Linux Device Drivers Kernel 2.6 1. Introduction Dr. Wolfgang Koch 2.

Linux Device Drivers Linux Device Drivers Kernel 2.6 1. Introduction Dr. Wolfgang Koch 2. Kernel Modules Friedrich Schiller University Jena 3. Char Drivers Department of Mathematics and 4. Advanced Char Drivers Computer Science 5.

531 views • 12 slides
CS 423 Operating System Design: Introduction to Linux Kernel Programming (MP1 Q&amp;A)

CS 423 Operating System Design: Introduction to Linux Kernel Programming (MP1 Q&amp;A)

CS 423 Operating System Design: Introduction to Linux Kernel Programming (MP1 Q&amp;A) Alberto Alvarez CS423: Operating Systems Design MP1 Goals Get yourself familiar with Linux kernel programming Learn to use the kernels linked

451 views • 32 slides
Software Programming Language Compiler /Interpreter next Operating System few weeks

Software Programming Language Compiler /Interpreter next Operating System few weeks

Program, Application Software Programming Language Compiler /Interpreter next Operating System few weeks Instruction Set Architecture Microarchitecture Hardware Digital Logic Devices (transistors, etc.) Solid-State Physics CSAPP book is

477 views • 29 slides
MIPS Assembly (Memory Fundamentals) 2 Lab Schedule Activities Assignments Due This Week Lab

MIPS Assembly (Memory Fundamentals) 2 Lab Schedule Activities Assignments Due This Week Lab

Computer Systems and Networks ECPE 170 Jeff Shafer University of the Pacific MIPS Assembly (Memory Fundamentals) 2 Lab Schedule Activities Assignments Due This Week Lab 10 Due by Apr 11 th 5:00am Tuesday: MIPS lecture

542 views • 28 slides
Slides for Lecture 2 ENEL 353: Digital Circuits Fall 2013 Term Steve Norman, PhD, PEng

Slides for Lecture 2 ENEL 353: Digital Circuits Fall 2013 Term Steve Norman, PhD, PEng

Slides for Lecture 2 ENEL 353: Digital Circuits Fall 2013 Term Steve Norman, PhD, PEng Electrical &amp; Computer Engineering Schulich School of Engineering University of Calgary 11 September, 2013 slide 2/21 ENEL 353 F13 Section 02

363 views • 21 slides
Linear programs 10-725 Optimization Geoff Gordon Ryan Tibshirani Review: LPs max 2x+3y

Linear programs 10-725 Optimization Geoff Gordon Ryan Tibshirani Review: LPs max 2x+3y

Linear programs 10-725 Optimization Geoff Gordon Ryan Tibshirani Review: LPs max 2x+3y s.t. LPs: m constraints, n vars x + y 4 A: R m n b: R m c: R n x: R n 2x + 5y 12 ineq form x + 2y 5 [min or max] c T x s.t.

277 views • 25 slides
Computer Organization &amp; Assembly Language Programming (CSE 2312) Lecture 8: Instructions

Computer Organization &amp; Assembly Language Programming (CSE 2312) Lecture 8: Instructions

Computer Organization &amp; Assembly Language Programming (CSE 2312) Lecture 8: Instructions Review and Addressing Modes Taylor Johnson Announcements and Outline Quiz 3 on Blackboard site (due 11:59PM Friday) Review binary arithmetic

404 views • 36 slides
Section 5 Section 5 Addressing Modes a 5-1 1 ADSP-BF533 Block Diagram L1 Core Instruction

Section 5 Section 5 Addressing Modes a 5-1 1 ADSP-BF533 Block Diagram L1 Core Instruction

Section 5 Section 5 Addressing Modes a 5-1 1 ADSP-BF533 Block Diagram L1 Core Instruction Timer 64 Memory Performance Core LD0 32 Monitor Processor L1 Data LD1 32 Memory JTAG/ Debug SD32 Core D0 bus Core I bus DMA Mastered

549 views • 34 slides
EE456 Digital Communications Professor Ha Nguyen September 2015 EE456 Digital

EE456 Digital Communications Professor Ha Nguyen September 2015 EE456 Digital

Chapter 6: Baseband Data Transmission EE456 Digital Communications Professor Ha Nguyen September 2015 EE456 Digital Communications 1 Chapter 6: Baseband Data Transmission Introduction to Baseband Data Transmission Bits are mapped

657 views • 18 slides
ECEN 5032 Data Networks Physical Layer: Communication Theory Peter Mathys mathys@colorado.edu

ECEN 5032 Data Networks Physical Layer: Communication Theory Peter Mathys mathys@colorado.edu

ECEN 5032 Data Networks Physical Layer: Communication Theory Peter Mathys mathys@colorado.edu University of Colorado, Boulder Data Networks, Communication Theory, c 19962005, P . Mathys p.1/4

398 views • 4 slides

More recommend