zfs
play

ZFS Enhancing the Open Source Storage System (and the Kernel) 1 - PowerPoint PPT Presentation

Aug 29, 2023 •222 likes •591 views

ZFS Enhancing the Open Source Storage System (and the Kernel) 1 Christian Kendi Who am I? Soy Christian Kendi I do IT-Security Consultant (Kernel)-Developer Penetration tester Exploit coder CEO & Founder of

  1. ZFS Enhancing the Open Source Storage System (and the Kernel) 1 Christian Kendi

  2. Who am I? • Soy Christian Kendi • I do … – IT-Security Consultant – (Kernel)-Developer – Penetration tester – Exploit coder – CEO & Founder of Iron Software 2 Christian Kendi

  3. What is this->talk about? • ZFS (Zetabyte File System) • Open Solaris Gate (Kernel) 3 Christian Kendi

  4. What is this->not about? • Further explanation on how file systems work in general • Deeper insight into the design and development of ZFS (raidz, allocator, etc.) • Rootkits (well  ), we are not too far away from a rootkit 4 Christian Kendi

  5. What is ZFS? • Revolutionary Open Source Storage System • 128-bit file system • Capable of storing 16 EiB (1,024 Pebibytes) • Transparent Compression, Encryption, etc… • Ported to multiple Operating Systems (Mac OS X, BSD, Linux) 5 Christian Kendi

  6. ZFS features • Storage pools • Snapshots • (Incremental) Backups between Snapshots • Variable block-size up to 128-kilobyte • On-the-fly compression (LZJB, gzip[1-9]) • 256-bit block checksums (fletcher2/4 or SHA-256) • Self Healing (On-the-fly Error Correction) • Open Source (yes its a feature ;) 6 Christian Kendi

  7. ZFS internal overview ZPL (ZFS POSIX Layer) ZVOL (ZFS Emulated Volume) DMU (Data Management Unit) DSL (Dataset and Snapshot Layer) ZAP (ZFS Attribute Processor) ZIL (ZFS Intent Log) ARC (Adaptive Replacement Cache) Pool Configuration (SPA) 7 ZIO (ZFS I/O Pipeline) Christian Kendi

  8. DEMO Create a pool, filesystem and work with snapshots 8 Christian Kendi

  9. Security aspects about ZFS • Offline honey pot analysis • Backup’s of Mission Critical Systems • Embedded Antivirus support for blocking infected files • Revert a hacked host back to installation state within seconds • Forensics by differential FS analysis • ACLs 9 Christian Kendi

  10. Storage Security Concerns • The most valuable information is stored in databases and storage Systems • Having access to the company's storage equals having the company • More to come later… 10 Christian Kendi

  11. ZFS enhancing, how? • A file system is always kernel based • Open Solaris ON NV (Gate) Source Code • Building a kernel module • Hooking internal ZFS functions • Provide a separate FS-Layer for the “enhances” 11 Christian Kendi

  12. ZFS enhancing, helpers? • kmdb is incredible! • dtrace & truss modules::list "struct modctl" mod_next | ::print "struct modctl” { mod_next = 0xfec479e0 mod_prev = 0xda0564c8 mod_id = 0 mod_mp = 0xfec42d90 mod_inprogress_thread = 0 mod_modinfo = 0 mod_linkage = 0 mod_filename = 0xfec42d68 "/platform/i86pc/kernel//unix" mod_modname = 0xfec42d80 "unix” 12 Christian Kendi

  13. ZFS enhancing, how? #2 • movl $add, %eax; jmp *%eax • Assembly code injection 13 Christian Kendi

  14. ZFS enhancing, how? #2 • But of course we don't want to rewrite the entire ZFS code. • First bytes are restored when executing from the orig_handler within the hook. 14 Christian Kendi

  15. ZFS enhancing, what? • dtrace and truss are your friends • Find the desired functions 15 Christian Kendi

  16. ZFS enhancing, syscalls? • Okay, admitted. Old but nice. Why? • Crypto Gate ;) • Just to be flexible 16 Christian Kendi

  17. ZFS enhancing, functions? • All userland <-> kernel communication is in zfs_ioctl.c • zfs_ioc_pool_configs() will deliver all available pools – Or not • Solaris handles dynamic data with nvlists • Dynamic means DYNAMIC. 17 Christian Kendi

  18. ZFS enhancing, nvlists 18 Christian Kendi

  19. ZFS enhancing, functions? 19 Christian Kendi

  20. ZFS, The Hackers point of View • Hide “something” • Anti-forensics against unloading the module • + Hide data in a way that offline analysis is hard • Yes, Crypto is a solution, but…. – the key must be stored _somewhere_ 20 Christian Kendi

  21. ZFS, The Hackers point of View #2 • Some ideas… – a private storage pool – mirror the companys pool over the internet. (iSCSI, zfs send) 21 Christian Kendi

  22. ZFS, The Hackers point of View #3 • Interesting ioctl’s ZFS_IOC_SEND ZFS_IOC_RECV ZFS_IOC_SNAPSHOT ZFS_IOC_POOL_STATS ZFS_IOC_POOL_GET_PROPS ZFS_IOC_POOL_CONFIGS ZFS_IOC_SNAPSHOT_LIST_NEXT ZFS_IOC_DATASET_LIST_NEXT 22 Christian Kendi

  23. ZFS enhancing, hide something? • It’s all there by it-self. “.zfs” is invisible • Analysis and code reading/auditing revealed interesting stuff 23 Christian Kendi

  24. ZFS enhancing, hide something? #2 • .zfs is a VFS (Virtual File System) layer by itself • With ZFS we don't just hide directories or files, we hide entire file systems or storage pools – Each hidden FS/pool has its own VFS entry – VFS controls all FS specific operations VOPNAME_LOOKUP, { .vop_lookup = ksh_root_lookup }, – > Have different ZFS revisions in a single kernel – ZFS Crypto Gate 24 Christian Kendi

  25. ZFS enhancing, hide something? #3 25 Christian Kendi

  26. ZFS enhancing, Anti-forensics • ZFS binary and kernel module contain checks for invalid datasets, i.e. internal datasets • Built-in support for hiding Storage Pools and ZFSs across Systems. Apr 9 13:06:16 opensolaris-vm winnipu: [ID 181094 kern.warning] WARNING: hook_zfs_ioc_dataset_list_next(): zc_name: rpool/ $MOS cookie: 133e8aad Apr 9 13:06:17 opensolaris-vm winnipu: [ID 181094 kern.warning] WARNING: hook_zfs_ioc_dataset_list_next(): zc_name: rpool/ $ORIGIN cookie: 13763f21 • Module independent, 0day?  • zfs send independent • Snapshot resistant • Pools and ZFS’s wont show up even if module is not loaded • Takes advanced personnel to find the pool 26 Christian Kendi

  27. ZFS enhancing, Anti-forensics #2 • Patch zfs binary to allow ‚$‘ • Hook dataset_namecheck() – Allow “all” characters to special PIDs • LD_PRELOAD recompiled libzfs.so.1 with new zfs binary • list, create, snapshot, send/recv, etc… considered internal datasets 27 Christian Kendi

  28. Anti-debugging? • Because, the code is all mine. • Symbol relocation is done is in the Elf header • The Module pointer holds mp->symtbl • sp = (Sym *)(mp->symtbl + i * mp->symhdr- >sh_entsize); & sp->st_value = 0x???????? is your friend • kobj_sync() refresh’s the module symtab • Have fun debugging 0xfe?????? and m0e3asd 28 Christian Kendi

  29. DEMO Let‘s make some magic 29 Christian Kendi

  30. Poopool • What is “poopool”? $ ./new_zfs.sh list poopool sending request for PID 806... done! NAME USED AVAIL REFER MOUNTPOINT poopool 40.3M 123M 40.1M none $ zpool status poopool pool: poopool state: ONLINE scrub: none requested config: NAME STATE READ WRITE CKSUM poopool ONLINE 0 0 0 /root/poopool.raw ONLINE 0 0 0 errors: No known data errors 30 Christian Kendi

  31. Hidden subpools with “$” • poopool/$bleh • Won’t automount (nice) NAME USED AVAIL REFER MOUNTPOINT poopool/$bleh 18K 123M 18K /system/.zfs/asdf • Everything about ZFS can be logged 31 Christian Kendi

  32. Let’s sum it up • Kernel hacking • Some ZFS internals • VFS Layers • Dynamic Symbol Relocation 32 Christian Kendi

  33. Outlook • Hot-patching mission critical systems • Implementing new (desired) features into a running system • Adapting a second protection layer • ZFS Crypto gate in code review (still) 33 Christian Kendi

  34. Questions? 34 Christian Kendi

  35. Thanks for listening Have fun! 35 Christian Kendi

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Question Answering and AnswerFinder Diego Moll a Centre for Language Technology Department of

Question Answering and AnswerFinder Diego Moll a Centre for Language Technology Department of

AnswerFinder Stages in Question Answering Learning Question Answering Rules Question Answering and AnswerFinder Diego Moll a Centre for Language Technology Department of Computer Science Macquarie University Athens, 4 July 2007 Diego

1.03k views • 64 slides
26: 010: 680 26: 010: 680 Current Topics in Current Topics in Accounting Research Accounting

26: 010: 680 26: 010: 680 Current Topics in Current Topics in Accounting Research Accounting

26: 010: 680 26: 010: 680 Current Topics in Current Topics in Accounting Research Accounting Research Dr. Peter R. Gillett Associate Professor Department of Accounting, Business Ethics and Information Systems Rutgers Business School

1.27k views • 60 slides
ENERGY MARKET AUTHORITY 28 April 2015 | Asia to lead in global energy demand Primary energy

ENERGY MARKET AUTHORITY 28 April 2015 | Asia to lead in global energy demand Primary energy

ENERGY MARKET AUTHORITY 28 April 2015 | Asia to lead in global energy demand Primary energy demand* and the share of global growth IMAGE GOES HERE IEA, World Energy Outlook, 2014 *Energy demand in Mtoe China, India and Middle East will

443 views • 22 slides
Introduction to The Web of Things Niels Olof Bouvin 1 Overview What is the Internet of Things?

Introduction to The Web of Things Niels Olof Bouvin 1 Overview What is the Internet of Things?

Introduction to The Web of Things Niels Olof Bouvin 1 Overview What is the Internet of Things? The vision Domains of the Internet of Things The challenges The Proto Web of Things The Raspberry Pi as a WoT platform The challenge of the

1.21k views • 63 slides
Highlights from Lecture 8 Vadadora Study: Poverty Action Lab Computing and the Computer

Highlights from Lecture 8 Vadadora Study: Poverty Action Lab Computing and the Computer

Highlights from Lecture 8 Vadadora Study: Poverty Action Lab Computing and the Computer Aided Learning improves educational outcomes Developing World MultiMouse One on one classroom computing CSEP 590B, Spring 2008 Lecture

492 views • 4 slides
The State of the Art on .NET 12 Months of Things To Learn Amanda Laucher ThoughtWorks Josh

The State of the Art on .NET 12 Months of Things To Learn Amanda Laucher ThoughtWorks Josh

The State of the Art on .NET 12 Months of Things To Learn Amanda Laucher ThoughtWorks Josh Graham Hashrocket (overview) Negative connotations about the ecosystem A lot of innovation from other platforms being applied Very

489 views • 21 slides
Statistical Challenges Towards a Semantic Model for Precision Agriculture and Precision Livestock

Statistical Challenges Towards a Semantic Model for Precision Agriculture and Precision Livestock

www.cybele-project.eu Statistical Challenges Towards a Semantic Model for Precision Agriculture and Precision Livestock Farming Dimitris Zeginis , Evangelos Kalampokis, Konstantinos Tarabanis SemStats 2019 This project has received funding from

169 views • 14 slides
Variadic Templates Frej Soya Jorgen Haahr May 9, 2008 What is Variadic Templates?

Variadic Templates Frej Soya Jorgen Haahr May 9, 2008 What is Variadic Templates?

Variadic Templates Frej Soya Jorgen Haahr May 9, 2008 What is Variadic Templates? Variable number of template parameters Short example template &lt; typename . . . Values &gt; c l a s s t u p l e ; main () { i n t tuple &lt; int ,

377 views • 13 slides
The State of the Art on .NET 12 Months of Things To Learn Amanda Laucher

The State of the Art on .NET 12 Months of Things To Learn Amanda Laucher

The State of the Art on .NET 12 Months of Things To Learn Amanda Laucher amanda.laucher@thoughtworks.com @pandamoniel Josh Graham joshua.graham@grahamis.com @delitescere Sunday, December 5, 2010 Negative connotations about the ecosystem A

603 views • 32 slides
N e x t - G e n e r a t i o n R o b o t i c s : U s h e r i n g i

N e x t - G e n e r a t i o n R o b o t i c s : U s h e r i n g i

1 1 N e x t - G e n e r a t i o n R o b o t i c s : U s h e r i n g i n t h e F u t u r e EXPO 2005 TOYOYA GROUP EXHIBITION GUIDE T O Y O T A M o t o r C o r p o r a t i o n T

442 views • 19 slides
your heating bill Event supported by Introductions Housekeeping Fire alarms Fire exits

your heating bill Event supported by Introductions Housekeeping Fire alarms Fire exits

How to save energy and reduce your heating bill Event supported by Introductions Housekeeping Fire alarms Fire exits Assembly point Toilets Mobile phones Questions Phones to silent Workshop aim To provide you with

1.27k views • 107 slides
Rapid Application Prototyping with Java &amp; MongoDB Trisha Gee, MongoDB Java Engineer Fully

Rapid Application Prototyping with Java &amp; MongoDB Trisha Gee, MongoDB Java Engineer Fully

#GOTOChgo @trisha_gee Rapid Application Prototyping with Java &amp; MongoDB Trisha Gee, MongoDB Java Engineer Fully Buzz Word Compliant AngularJS (HTML5, JavaScript) Bootstrap (&amp; UI Bootstrap) Drop Wizard (Jackson, Jersey,

481 views • 25 slides
Deviant and Non Deviant Risk Deaths from ecstasy (30) and

Deviant and Non Deviant Risk Deaths from ecstasy (30) and

Some cri)cal remarks on lifestyle risk Deviant and Non Deviant Risk Deaths from ecstasy (30) and horse riding (100) Heres a

256 views • 7 slides
SPA meeting, DESY The SUSY Les Houches Accord hep-ph/0311123 : P . Skands, B.C. Allanach, H.

SPA meeting, DESY The SUSY Les Houches Accord hep-ph/0311123 : P . Skands, B.C. Allanach, H.

SPA meeting, DESY The SUSY Les Houches Accord hep-ph/0311123 : P . Skands, B.C. Allanach, H. Baer, C. Balzs, G. Blanger, F . Boudjema, A. Djouadi, R. Godbole, J. Guasch, S. Heinemeyer, W. Kilian, J. Kneur, S. Kraml, F . Moortgat, S.

652 views • 20 slides
Employer Contributions for Health Insurance as a Percent of Compensation, 1950-2010 p , Percent

Employer Contributions for Health Insurance as a Percent of Compensation, 1950-2010 p , Percent

Employer Contributions for Health Insurance as a Percent of Compensation, 1950-2010 p , Percent of employee compensation 8 1980 2010 1980-2010 7 6 3.3 pctg. pts. 5 4 3 2 1 0 1950 1960 1970 1980 1990 2000 2010 Health Spending

672 views • 15 slides
W3C Workshop DNT And Beyond Future Directions Panel Frank Dawson frank dot dawson at nokia dot

W3C Workshop DNT And Beyond Future Directions Panel Frank Dawson frank dot dawson at nokia dot

W3C Workshop DNT And Beyond Future Directions Panel Frank Dawson frank dot dawson at nokia dot com 2012-11-27 Triangle of Trust Technology / Industry Trust Consumer / Policy / Advocacy Regulatory 2 Privacy safeguarding framework

278 views • 7 slides
classification of troubled families Social Policy Association Conference 2014 Stephen

classification of troubled families Social Policy Association Conference 2014 Stephen

Double Trouble: on the classification of troubled families Social Policy Association Conference 2014 Stephen Crossley PhD Candidate School of Applied Social Sciences The long history. 1880s Victorian residuum 1910s

592 views • 19 slides
Spa$o-Textual Similarity Joins Panagio$s Bouros 1,2 , Shen Ge 1 ,

Spa$o-Textual Similarity Joins Panagio$s Bouros 1,2 , Shen Ge 1 ,

Spa$o-Textual Similarity Joins Panagio$s Bouros 1,2 , Shen Ge 1 , Nikos Mamoulis 1 1 University of Hong Kong 2 Humboldt-Universitt zu Berlin 39 th Interna$onal

724 views • 37 slides
Motivation VM VM VM VM VMM 2 15-02-02 The Storage Performance Analyzer (SPA) Motivation

Motivation VM VM VM VM VMM 2 15-02-02 The Storage Performance Analyzer (SPA) Motivation

Storage Performance Analyzer (SPA) Measuring, Monitoring, and Modeling of I/O Performance in Virtualized Environments Feb 2, 2015 Qais Noorshams, Axel Busch , Samuel Kounev, Ralf Reussner Austin, Texas, USA SOFTWARE DESIGN AND QUALITY GROUP

569 views • 12 slides
Mitigate the Risks of Capture: The U.S. Case James A. Thurber Director and University

Mitigate the Risks of Capture: The U.S. Case James A. Thurber Director and University

Political Finance and its Impact on Public Policy and Decision Making ProcessesHow to Mitigate the Risks of Capture: The U.S. Case James A. Thurber Director and University Professor Center for Congressional and Presidential Studies

621 views • 37 slides
The Laravel Developer's The Laravel Developer's Guide to Vue SPAs Guide to Vue SPAs JESS ARCHER

The Laravel Developer's The Laravel Developer's Guide to Vue SPAs Guide to Vue SPAs JESS ARCHER

The Laravel Developer's The Laravel Developer's Guide to Vue SPAs Guide to Vue SPAs JESS ARCHER The BaseCode Podcast The BaseCode Podcast basecodefieldguide.com/podcast Social wish list and gift reminders Social wish list and gift reminders

1.05k views • 92 slides
HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately,

363 views • 12 slides
SPA resistant Exponentiation based on Bruns GCD algorithm Val erie Berth e , Thomas

SPA resistant Exponentiation based on Bruns GCD algorithm Val erie Berth e , Thomas

SPA resistant Exponentiation based on Bruns GCD algorithm Val erie Berth e , Thomas Plantard Paris Diderot Universit e, University of Wollongong http://www.uow.edu.au/ thomaspl thomaspl@uow.edu.au 2019 Berthe, Plantard (IRIF,

1.16k views • 69 slides
LESSON BJECTIVE many scams on the Students explore Internet right now. ways to prevent

LESSON BJECTIVE many scams on the Students explore Internet right now. ways to prevent

2/12/16 There are so LESSON BJECTIVE many scams on the Students explore Internet right now. ways to prevent Send me $9.95 and iden%ty the* and I will tell you what avoid becoming a to watch out for! financial scam vic;m. 1 2/12/16

476 views • 10 slides

More recommend