The Guardian Kernel Module
Sarah Diesburg, Louis Brooks
June 5, 2006
1
Introduction
• St. Michael Linux Kernel Module
– Overview
– Functionality
– Upgrade Issues
• Our Kernel Module (The Guardian)
– Functionalities we will implement
• Screen shots of St. Michael in action
2
St. Michael Kernel Module
• Made for the 2.2 and 2.4 series of kernels.
• Not maintained now.
• Main purpose was to protect itself, the
kernel, and the system call table from
unauthorized modification.
• Could even reload the running kernel from
a restore point if kernel compromised.
3
St. Michael Functionalities
• The functionalities of St. Michael include:
– Monitoring pointers to system calls for any
changes.
– The ability to cloak itself from the running
kernel and commands like lsmod.
– Monitoring the loading and unloading of
modules to make sure other modules do not
cloak themselves.
4
St. Michael Functionalities (cont.)
• Extensive md5 summing of critical
functionalities such as:
– /sbin/init and /proc/ksyms
– System calls
– Loaded modules
– Kernel text
– St. Michael’s own functions
5
St. Michael Functionalities (cont.)
• Setting and enforcing the immutable flag
on important files.
• Ability to reboot the system after
compromise.
• Ability to reload the running kernel or
system call mappings.
• Limiting write access to device
/dev/kmem.
6
St. Michael Upgrade Issues
• The sys_call_table symbol is not exported
in the 2.6 kernels.
– We have two choices to work around this.
• System calls have changed since the 2.2.
and 2.4 kernels.
• Module initializations may have changed
since the 2.2 and 2.4 kernels.
7
St. Michael Upgrade Issues (cont.)
• There is no /proc/ksyms in the 2.6 kernel.
– /proc/kallsyms might be a suitable replacement.
• We need to use newer spinlocks.
– St. Michael used the “big kernel lock”
• St. Michael code is too long and complicated to
fully upgrade.
– We will implement a subset of its functionality.
– Rewrite of module is in order.
8
Our Kernel Module (The Guardian)
• Our subset of functionalities will include:
– Monitoring loading and unloading of modules
• Wrappers around the load and unload system calls
– Monitoring system call mappings
• On system boot we will keep a local version of
correct system call mapping and periodically check
kernel’s version with a kernel timer.
9
Our Kernel Module (The Guardian)
– Monitor Integrity through md5 summing
• Guardian (our module)
• System calls
• Modules
• Kernel
– Logging
• Guardian activities
– Ability to hide the guardian kernel module
– No way to unload guardian without system reboot
10
St. Michael syslog excerpts
• Testing attack against St. Michael itself…
Jun 3 14:20:48 hades kernel: --=={Loading StMichael 0.11
Jun 3 14:20:48 hades kernel: --=={StMichael 0.11 Successfully Loaded
Jun 3 14:25:35 hades kernel: About to attack StMichael itself....
Jun 3 14:25:35 hades kernel: StMichael May Halt the System or Do other
Nasty Stuff...
Jun 3 14:25:35 hades kernel: Replacing Code at d4863c00.
Jun 3 14:25:35 hades kernel: 0(STMICHAEL):Catastrophic LKM Rootkit Activity
Detected. Kernel directly Modified.
Jun 3 14:25:35 hades kernel: 0(STMICHAEL):The Kernel has been Reloaded.
Jun 3 14:36:16 hades syslogd 1.4.1#10: restart.
11
St. Michael syslog excerpts (cont.)
• Attempting to replace a system call…
Jun 3 14:38:40 hades kernel: --=={Loading StMichael 0.11
Jun 3 14:38:40 hades kernel: --=={StMichael 0.11 Successfully
Loaded
Jun 3 14:39:19 hades kernel: About to try replacing a systemcall...
Jun 3 14:39:19 hades kernel: 0(STMICHAEL):Kernel Structures
Modified. Attempting to Restore.
12
St. Michael syslog excerpts (cont.)
• Attempting to replace the kernel’s delete module
function…
Jun 3 14:41:45 hades kernel: About to Trash the Kernel's Delete
Module..
Jun 3 14:41:45 hades kernel: If StMichael isn't in here, prepare for a
panic.
Jun 3 14:41:45 hades kernel: Replacing Code at c012845c.
Jun 3 14:41:45 hades kernel: 0(STMICHAEL):Catastrophic LKM Rootkit
Activity Detected. Kernel directly Modified.
Jun 3 14:41:45 hades kernel: 0(STMICHAEL):The Kernel has been
Reloaded.
Jun 3 14:57:16 hades syslogd 1.4.1#10: restart.
13