DOCSLIB.ORG

Integrity Checking of Operating Systems with Respect to Kernel Level Malware”

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

To Bianca, for being who you are.

Abstract

Kernel-mode rootkits have gained a considerable momentum within the blackhat community. They represent a considerable threat to any computer system, as they provide an intruder with the ability to hide the presence of his malicious activity. These rootkits make changes to the operating system’s kernel, thereby providing particularly stealthy hiding techniques.

Considering the kernel rootkit threat and other threats, the collection of reliable information from a compromised system becomes a central problem within the domain of computer security. This thesis addresses this problem. It looks at the possibility of using virtualization as a means to facilitate kernel-mode rootkit detection through integrity checking.

The thesis describes several areas within the Linux kernel, which are commonly subverted by kernel-mode rootkits. It introduces the reader to the concept of virtualization and describes several technologies employing virtualization. The kernel-mode rootkit threat is then addressed through a description of their hiding methodologies. Some of the existing methods for malware detection are also addressed and analysed.

A number of general requirements, which need to be satisfied by a general model enabling kernel-mode rootkit detection, are identified. A model addressing these requirements is suggested, and a framework implementing the model is set-up. The detection capabilities of the framework are tested on a couple of rootkits.

iii

Preface

This report presents the results of my master thesis “Integrity checking of operating systems with respect to kernel level malware”. It is written as part of the Master degree (Sivilingeniør) in Computer Science at the Norwegian University of Science and Technology (NTNU), during Spring 2005. The work presented is based on a problem presented by the Computer Network Operations project (CNO857), a research project conducted at the Norwegian Defence Research Establishment (FFI). The work has been conducted at their facilities.

The work done during this semester has been challenging, instructive and interesting. My knowledge on the researched area was limited before I started my work. I had a limited knowledge to operating systems and Linux in particular. No knowledge of virtual machines, integrity checking and rootkits, and my C-programming skills where almost non existent. Hence, working with these new environments and technologies has thought me a lot, and I feel as though I have increased my platform as a computer scientist.

I would like to take this opportunity to thank my supervisor, Ane Daae Weng, for providing valuable guidance and feedback through all phases of this project. I would also like to thank professor Mads Nyg˚ard for useful input and support. Camilla Olsen and Espen Aarnes for correctional reading, and other feedback. Further, I would like to thank Tal Garfinkel for quick responses to my emails and his valuable advises on virtual machines. A special thanks is addressed to my fellow students Audun Simonsen and Oddvar Aarseth whom I have been sharing office with. Their support as discussion partners and frustration relieves has been invaluable.

Tobias Melcher
Kjeller, June 22, 2005 v

Acronyms

AIDE API

Advanced Intrusion Detection Environment Application Programmer Interface Community Public License

CPL CPU DNS ELF

Central Processing Unit Domain Name System Executable and Linking Format Norwegian Defence Research Establishment General Public License

FFI GPL HIDS IDS

Host-based Intrusion Detection System Intrusion Detection System Interrupt Descriptor Table

IDT LGPL LKM MMU NIC

Lesser General Public License Loadable Kernel Module Memory Management Unit Network Interface Card

NIDS

Network-based Intrusion Detection System
NTNU Norwegian University of Science and Technology

OS

Operating System User-mode Linux

UML

vii

  • viii
  • Acronyms

VFS VM

Virtual File System Switch Virtual Machine

VMM VMI

Virtual Machine Monitor Virtual Machine Introspection

Table of Contents

  • Abstract
  • iii

  • v
  • Preface

  • Acronyms
  • vii

  • ix
  • Table of Contents

List of Figures List of Tables xv xvii

  • 1 Introduction
  • 1

12345667
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Problem definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 Research questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4 Research methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5 Project scope and demarcation of assessment . . . . . . . . . . . . . . 1.6 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.7 Report outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.7.1 Reader’s guide . . . . . . . . . . . . . . . . . . . . . . . . . . .

  • 2 The Linux kernel
  • 9

  • 2.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  • 9

2.2 Architectural overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.3 System calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

  • 2.3.1 The system call table and the interrupt descriptor table (IDT)
  • 13

2.3.2 System call invocation and lifecycle . . . . . . . . . . . . . . . . 13
2.4 Memory management . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.4.1 Memory organization . . . . . . . . . . . . . . . . . . . . . . . 16

ix

  • x
  • TABLE OF CONTENTS

2.4.2 Virtual memory . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.4.3 Memory allocation . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.5 File system management . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.6 Loadable Kernel Modules (LKM) . . . . . . . . . . . . . . . . . . . . . 20
2.6.1 Linking and unlinking modules . . . . . . . . . . . . . . . . . . 20
2.7 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

  • 3 The virtualization technology
  • 23

3.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 3.2 Virtualization techniques . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2.1 The virtual machine monitor (VMM) . . . . . . . . . . . . . . 24 3.2.2 Virtual environments . . . . . . . . . . . . . . . . . . . . . . . . 25
3.3 Virtual machine technologies . . . . . . . . . . . . . . . . . . . . . . . 26
3.3.1 Plex86 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 3.3.2 VMware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 3.3.3 Xen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 3.3.4 User-mode Linux (UML) . . . . . . . . . . . . . . . . . . . . . 29
3.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

  • 4 Rootkits
  • 33

4.1 Trojan horse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 4.2 User-mode rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 4.3 Kernel-mode rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
4.3.1 Loadable Kernel Modules (LKM) . . . . . . . . . . . . . . . . . 37 4.3.2 Patching the running kernel . . . . . . . . . . . . . . . . . . . . 39 4.3.3 Patching the kernel binary image . . . . . . . . . . . . . . . . . 40 4.3.4 Create a fraudulent virtual system . . . . . . . . . . . . . . . . 41 4.3.5 Running programs in kernel-mode . . . . . . . . . . . . . . . . 41
4.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

  • 5 Defending the Linux kernel
  • 43

5.1 Protecting a Linux system . . . . . . . . . . . . . . . . . . . . . . . . . 43 5.2 Intrusion detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 5.3 Anomality detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5.3.1 File integrity checking . . . . . . . . . . . . . . . . . . . . . . . 46 5.3.2 Kernel integrity checking . . . . . . . . . . . . . . . . . . . . . 47 5.3.3 Detecting anomalities in program execution . . . . . . . . . . . 48 5.3.4 Network connections and activity . . . . . . . . . . . . . . . . . 49

  • TABLE OF CONTENTS
  • xi

5.4 Signature detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
5.4.1 Fingerprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 5.4.2 Characterising kernel-mode rootkits . . . . . . . . . . . . . . . 50
5.5 Hardware-based detection . . . . . . . . . . . . . . . . . . . . . . . . . 50 5.6 Sandboxing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.6.1 Virtual machine introspection (VMI) . . . . . . . . . . . . . . . 51 5.6.2 Intrusion detection in virtual environments . . . . . . . . . . . 51
5.7 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

  • 6 A model supporting kernel integrity checking
  • 53

6.1 Motivating scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
6.1.1 The MyOil scenario . . . . . . . . . . . . . . . . . . . . . . . . 54 6.1.2 Summarising and analysing the scenario . . . . . . . . . . . . . 56
6.2 Model requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
6.2.1 Properties of kernel level malware . . . . . . . . . . . . . . . . 58 6.2.2 Behaviour and support . . . . . . . . . . . . . . . . . . . . . . . 59 6.2.3 Provided services . . . . . . . . . . . . . . . . . . . . . . . . . . 60
6.3 Overall description of the model . . . . . . . . . . . . . . . . . . . . . 60
6.3.1 Component functionalities and responsibilities . . . . . . . . . 62 6.3.2 Main features . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 6.3.3 Comparison of the VMI architecture and the described model . 65
6.4 Employing the model on the MyOil scenario . . . . . . . . . . . . . . . 66

  • 7 Building a framework
  • 69

7.1 Selecting a virtualization technology . . . . . . . . . . . . . . . . . . . 69
7.1.1 Requirement coverage . . . . . . . . . . . . . . . . . . . . . . . 70 7.1.2 Other considerations . . . . . . . . . . . . . . . . . . . . . . . . 71 7.1.3 Open source evaluation . . . . . . . . . . . . . . . . . . . . . . 72 7.1.4 Summarizing the virtualization technology evaluation . . . . . 72
7.2 Selecting an integrity checker . . . . . . . . . . . . . . . . . . . . . . . 73
7.2.1 Requirement coverage . . . . . . . . . . . . . . . . . . . . . . . 73 7.2.2 Other considerations . . . . . . . . . . . . . . . . . . . . . . . . 75 7.2.3 Open source evaluation . . . . . . . . . . . . . . . . . . . . . . 75 7.2.4 Summarizing the integrity checker evaluation . . . . . . . . . . 75
7.3 Framework setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
7.3.1 Installing Xen . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 7.3.2 Running Xen . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 7.3.3 Installing and initialising Afick . . . . . . . . . . . . . . . . . . 79

  • xii
  • TABLE OF CONTENTS

7.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

  • 8 Applying the framework
  • 83

8.1 Test setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
8.1.1 Preparing the guest system . . . . . . . . . . . . . . . . . . . . 84 8.1.2 Installing and running Adore . . . . . . . . . . . . . . . . . . . 84 8.1.3 Installing and running Adore-ng . . . . . . . . . . . . . . . . . 84 8.1.4 Installing and running SucKIT . . . . . . . . . . . . . . . . . . 85 8.1.5 Final test setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
8.2 Test results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
8.2.1 Test 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 8.2.2 Test 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 8.2.3 Result summary . . . . . . . . . . . . . . . . . . . . . . . . . . 89

  • 9 Discussion and evaluation
  • 91

9.1 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
9.1.1 Discussion of results . . . . . . . . . . . . . . . . . . . . . . . . 91 9.1.2 Discussion of the framework . . . . . . . . . . . . . . . . . . . . 92 9.1.3 Discussion of the model . . . . . . . . . . . . . . . . . . . . . . 94
9.2 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

  • 10 Conclusion and further work
  • 99

10.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
10.1.1 Important themes . . . . . . . . . . . . . . . . . . . . . . . . . 99 10.1.2 Contributions of this thesis . . . . . . . . . . . . . . . . . . . . 100 10.1.3 The future . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
10.2 Further work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
10.2.1 Implementing the model . . . . . . . . . . . . . . . . . . . . . . 101 10.2.2 Further research . . . . . . . . . . . . . . . . . . . . . . . . . . 101

  • Bibliography
  • 103

109 113
A Glossary B Rootkit examples

B.1 Subverting the VFS - Adore-ng . . . . . . . . . . . . . . . . . . . . . . 113 B.2 Patching /dev/kmem - SucKIT . . . . . . . . . . . . . . . . . . . . . . 115

  • C Rootkit detection tools
  • 117

  • TABLE OF CONTENTS
  • xiii

  • D Creating and running Loadable Kernel Modules (LKM)
  • 119

D.1 LKM programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 D.2 LKM compilation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

  • E Notation
  • 121

E.1 Notation used in the evaluation table . . . . . . . . . . . . . . . . . . . 121 E.2 False-positives and false-negatives . . . . . . . . . . . . . . . . . . . . . 123

List of Figures

  • 1.1 Report overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  • 8

2.1 Intel x86 protection rings . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.2 Conceptual Linux architecture . . . . . . . . . . . . . . . . . . . . . . 11 2.3 System calls as an interface to hardware . . . . . . . . . . . . . . . . . 12 2.4 The Linux system call table . . . . . . . . . . . . . . . . . . . . . . . . 14 2.5 System call invocation in Linux . . . . . . . . . . . . . . . . . . . . . . 15 2.6 Reserved memory for the Linux kernel . . . . . . . . . . . . . . . . . . 17 2.7 The Linux virtual memory . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.8 The Linux file system . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.9 Loadable kernel module . . . . . . . . . . . . . . . . . . . . . . . . . . 21

3.1 Virtual machine environments [30] . . . . . . . . . . . . . . . . . . . . 25 3.2 VMware architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 3.3 Xen architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 3.4 User-mode Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

4.1 Comparison of user-mode and kernel-mode rootkits . . . . . . . . . . . 36 4.2 Loading an evil Loadable Kernel Module (LKM) . . . . . . . . . . . . 38 4.3 Runtime kernel patching . . . . . . . . . . . . . . . . . . . . . . . . . . 40

6.1 Scenario: MyOil’s network . . . . . . . . . . . . . . . . . . . . . . . . . 54 6.2 Scenario: MyOil’s network under attack . . . . . . . . . . . . . . . . . 56 6.3 Overall system description . . . . . . . . . . . . . . . . . . . . . . . . . 61 6.4 Architectural overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 6.5 Employing the model on the scenario . . . . . . . . . . . . . . . . . . . 66

7.1 Detection framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 7.2 The configuration file for the Fedora2 domain . . . . . . . . . . . . . . 79 7.3 Running Xen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

xv

  • xvi
  • LIST OF FIGURES

8.1 Running SucKIT on the Fedora2 domain . . . . . . . . . . . . . . . . . 86 8.2 Running a modified SucKIT on the Fedora2 domain . . . . . . . . . . 86 8.3 The framework test setup . . . . . . . . . . . . . . . . . . . . . . . . . 87 8.4 Detecting Adore by comparison . . . . . . . . . . . . . . . . . . . . . . 88 8.5 Detecting the Adore rootkit with Afick . . . . . . . . . . . . . . . . . . 89

B.1 The Adore user interface, Ava. . . . . . . . . . . . . . . . . . . . . . . 114

List of Tables

3.1 Para-virtualizing the x86 architecture in Xen [5] . . . . . . . . . . . . 28 3.2 Running Linux in user-mode [17, 59] . . . . . . . . . . . . . . . . . . . 30

5.1 Linux commands for anomality detection . . . . . . . . . . . . . . . . 45 6.1 General requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 7.1 Open source software evaluation . . . . . . . . . . . . . . . . . . . . . 72 7.2 Open source software evaluation . . . . . . . . . . . . . . . . . . . . . 75 7.3 Mapping the framework to the model of Chapter 6 . . . . . . . . . . . 81

8.1 Mapping the test setup to the model of Chapter 6 . . . . . . . . . . . 86 9.1 Covering the general requirements . . . . . . . . . . . . . . . . . . . . 94

xvii

Chapter 1

Introduction

The theme of this master thesis is the use of integrity checking of the operating systems kernel to discover anomalities implying kernel level exploits. The focus will be on the Linux kernel and the detection of kernel-mode rootkits.

Section 1.1 outlines the motivation and importance of discovering malicious activity. Section 1.2 defines the problem addressed. Lastly Section 1.7 describes the structure of this thesis, serving as a roadmap for the reader.

1.1 Motivation

Interconnected computers are subject to constant attacks from people wanting to exploit the processing power, gain access to information, or to have fun. Preventing and detecting such attacks is important to assure a certain level of integrity and privacy for computing systems. Since methods employed by attackers become more and more sophisticated, we have a continuous arms race between defenders and attackers.

Common goals of the attacker include; to make sure that the legitimate users or system administrators are unaware of their system being compromised, and when administrator privileges are obtained, to maintain and keep this privileged access in the foreseeable future. A commonly used method achieving these goals is the use of a rootkit. A rootkit is a collection of tools, which allows an intruder to hide his presence and maintain his access.

Two types of rootkits exist; user-mode rootkits and kernel-mode rootkits. A usermode rootkit modifies critical system level binaries and programs, while a kernel-mode

1

  • 2
  • Chapter 1. Introduction

rootkit replaces or modifies the operating systems kernel. Kernel-mode rootkits are harder to detect than user-mode rootkits. They operate on a low level and hence user-mode inspection tools are unable to detect such rootkits. This makes the kernelmode rootkit a very powerful tool. Further, rootkits have become more user-friendly as blackhat hackers1 have applied user interfaces allowing not so well-informed intruders, or script kiddies, to apply the rootkit easily. These advantages have made kernel-mode rootkits very popular, and they have become common in a high percentage of the intrusions reported, implying administrator level access [39].

Recommended publications
  • A Brief Study and Comparison Of, Open Source Intrusion Detection System Tools

    A Brief Study and Comparison Of, Open Source Intrusion Detection System Tools

    International Journal of Advanced Computational Engineering and Networking, ISSN: 2320-2106, Volume-1, Issue-10, Dec-2013 A BRIEF STUDY AND COMPARISON OF, OPEN SOURCE INTRUSION DETECTION SYSTEM TOOLS 1SURYA BHAGAVAN AMBATI, 2DEEPTI VIDYARTHI 1,2Defence Institute of Advanced Technology (DU) Pune –411025 Email: [email protected], [email protected] Abstract - As the world becomes more connected to the cyber world, attackers and hackers are becoming increasingly sophisticated to penetrate computer systems and networks. Intrusion Detection System (IDS) plays a vital role in defending a network against intrusion. Many commercial IDSs are available in marketplace but with high cost. At the same time open source IDSs are also available with continuous support and upgradation from large user community. Each of these IDSs adopts a different approaches thus may target different applications. This paper provides a quick review of six Open Source IDS tools so that one can choose the appropriate Open Source IDS tool as per their organization requirements. Keywords - Intrusion Detection, Open Source IDS, Network Securit, HIDS, NIDS. I. INTRODUCTION concentrate on the activities in a host without considering the activities in the computer networks. Every day, intruders are invading countless homes On the other hand, NIDS put its focus on computer and organisations across the country via virus, networks without examining the hosts’ activities. worms, Trojans, DoS/DDoS attacks by inserting bits Intrusion Detection methodologies can be classified of malicious code. Intrusion detection system tools as Signature based detection, Anomaly based helps in protecting computer and network from a detection and Stateful Protocol analysis based numerous threats and attacks.
  • Ten Strategies of a World-Class Cybersecurity Operations Center Conveys MITRE’S Expertise on Accumulated Expertise on Enterprise-Grade Computer Network Defense

    Ten Strategies of a World-Class Cybersecurity Operations Center Conveys MITRE’S Expertise on Accumulated Expertise on Enterprise-Grade Computer Network Defense

    Bleed rule--remove from file Bleed rule--remove from file MITRE’s accumulated Ten Strategies of a World-Class Cybersecurity Operations Center conveys MITRE’s expertise on accumulated expertise on enterprise-grade computer network defense. It covers ten key qualities enterprise- grade of leading Cybersecurity Operations Centers (CSOCs), ranging from their structure and organization, computer MITRE network to processes that best enable effective and efficient operations, to approaches that extract maximum defense Ten Strategies of a World-Class value from CSOC technology investments. This book offers perspective and context for key decision Cybersecurity Operations Center points in structuring a CSOC and shows how to: • Find the right size and structure for the CSOC team Cybersecurity Operations Center a World-Class of Strategies Ten The MITRE Corporation is • Achieve effective placement within a larger organization that a not-for-profit organization enables CSOC operations that operates federally funded • Attract, retain, and grow the right staff and skills research and development • Prepare the CSOC team, technologies, and processes for agile, centers (FFRDCs). FFRDCs threat-based response are unique organizations that • Architect for large-scale data collection and analysis with a assist the U.S. government with limited budget scientific research and analysis, • Prioritize sensor placement and data feed choices across development and acquisition, enteprise systems, enclaves, networks, and perimeters and systems engineering and integration. We’re proud to have If you manage, work in, or are standing up a CSOC, this book is for you. served the public interest for It is also available on MITRE’s website, www.mitre.org. more than 50 years.
  • Network Security Jim Binkley

    Network Security Jim Binkley

    Tools Network Security Jim Binkley. Jim Binkley 1 Outline basic tools netcat intrusion detection – network monitors – net-based audit/analysis (nessus) – net-based signature analysis (snort) (see ASCII lecture) – host-based anomaly analysis (tripwire) web audit/analysis wireless (kismet/netstumbler) attack tools (dsniff, ettercap) remote control/backdoor tools Jim Binkley 2 a few intro thoughts some of these tools can be grouped into different categories BUT then both tripwire and ourmon are intrusion detection tools (what do they have in common?) ID tools may have problems with false-positives attack tools can always be used for defensive purposes or offensive purposes: – nmap used to check for open ports ... any tool may be used for ill (even ping) Jim Binkley 3 information sources: Anti-Hacker Toolkit, Jones, Shema, Johnson. Osborne 2002 Snort FAQ (and book) nmap documentation Hacker’s Exposed in numerous editions Jim Binkley 4 basic tools ping and relatives traceroute tcpdump and other sniffers – ethereal whois and the whois database dig/nslookup and the DNS scanners problem: given email handout, what can you learn about its origin? Jim Binkley 5 ping ping may be used to test basic 2-way connectivity or determine if an ip address space is populated – to stuff an ARP database (HPOV does this) » so that we can see how many hosts we have – to enable a port query because J. Hacker has an exploit Jim Binkley 6 ping may have these options -c <count> - send count pings -n <count> - windows, the same thing -f -
  • Beginner's Guide to Open Source Intrusion Detection Tools

    Beginner's Guide to Open Source Intrusion Detection Tools

    BEGINNER’S GUIDE to Open Source Intrusion Detection Tools www.alienvault.com Introduction to Open Source Intrusion Detection Threat and intrusion detection have become a top priority in cybersecurity, making it more important than ever before. If you aren’t already running an intrusion detection system (IDS) in your network, you should start now. Is Open Source Security a Good Route? There are a wealth of great tools out there that can dramatically improve the security of your network. Open source security goes back decades, and there is a large, active community behind many of the tools. In fact, some of these tools are used by commercial security vendors in their products, and these vendors contribute to the tools to keep them current. Before getting started, we’d be remiss not to address the pros and cons of going the open source route. Open source might be a good solution for you if: • Your company has the expertise in both security and system administration needed to deploy several tools with only community support. • You want “complete control” over your security architecture and are willing to do extra work to make that happen. • You develop a plan for keeping these tools up-to-date. Unlike most software, failure to keep security tools current with the latest versions and security updates (which may come weekly, daily, or even hourly) renders the tools themselves almost useless after a short time. • You have a very low budget to buy products, but have the staff needed to maintain open source tools. • Your use-case and security concerns don’t align well with commercial products.
  • Open Source Intrusion Detection Tools

    Open Source Intrusion Detection Tools

    Beginner’s guide: Open source intrusion detection tools 1 Threat and intrusion Is open source detection have security a become a top priority in cybersecurity, good route? making it more important than ever before. If you aren’t already running an intrusion detection system (IDS) in your network, you should start now. This document is intended to include general information for beginners learning about open source intrusion detection. Use of names of 2 third party companies in the document are for informational purposes only and do not constitute any endorsement by AT&T Cybersecurity. Introduction There are a wealth of great tools out there that can dramatically improve the security of your network. Open source security goes back decades, and there is a large, active community behind many of the tools. In fact, some of these tools are used by commercial security vendors in their products, and these vendors contribute to the tools to keep them current. Before getting started, we’d be remiss not to address the pros and cons of going the open source route. Open source might be a good solution for you if: Open source is easier than ever to install and maintain. • Your company has the expertise in both security and system However, on the “con” side, there are a few important administration needed to deploy several tools with only concerns. If you are going to design a security solution for community support. your company, please keep in mind: • You will have to do your own support. There are great • You want “complete control” over your security architecture communities behind some of these tools, but you are the only and are willing to do extra work to make that happen.
  • Unix Administration

    Unix Administration

    Unix Administration Guntis Barzdins Linux System Administration SYS ADMIN TASKS Setting the Run Level System Services User Management Network Settings Scheduling Jobs Quota Management Backup and Restore Adding and Removing software/packages Setting a Printer Monitoring the system (general, logs) Monitoring any specific services running. Eg. DNS, DHCP, Web, NIS, NPT, Proxy etc. Process Manipulation Once you run a program (e.g. vi, myprog,...), that program will suspend the terminal you called it in (the terminal will not be receiving input from you). You can start the program in the background to avoid this: myprog & You can suspend a program that is running and send it to background, if you already started it: Ctrl-z (to suspend) bg (sends the suspended program to the background) ps (show running processes) top (monitor running processes) kill (kill processes) & (send process to background) bg (send process to background) fg (get process from background) Ctrl+c (terminate process) Ctrl+z (suspend process) Intrusion Detection System (IDS) Open Source Tripwire – is a file integrity- checking program for UNIX/Linux operating systems Host-based Software that alerts you when important files change Tripwire keeps a hash value for each designated file When a file is altered/deleted, tripwire will have a new hash value that is different than the original Replaced by more advanced HIDS: OSSEC, Samhain, AIDE Client/Server mode etc. Tripwire tutorial in a slide Initial setup download / build / install it generate policy file # twadmin –create-polfile /etc/tripwire/twpol.txt modify policy file (e.g. remove unnecessary files) # vi /etc/tripwire/twpol.txt build initial database # tripwire –init check periodically # tripwire –check reconcile differences (e.g.
  • Prelude User Manual General Configuration

    Prelude User Manual General Configuration

    Prelude User Manual [[PreludeForeword|Foreword]] 1. Introduction 1. [[PreludeGlossary|Glossary]] 2. [[PreludeComponents|Prelude Components]] 3. [[PreludeArchitecture|Prelude Architecture]] 4. [[PreludeStandards|Prelude Standards]] 5. [[PreludeCompatibility|Prelude Compatibility]] 2. Installation 1. [[InstallingPreludeRequirement|Installation Requirements]] 2. [[InstallingPrelude|Installation from sources]] 1. [[InstallingPreludeLibrary|Libprelude]] 2. [[InstallingPreludeDbLibrary|LibpreludeDB]] 3. [[InstallingPreludeManager|Prelude Manager]] 4. [[InstallingPreludeCorrelator|Prelude Correlator]] 5. [[InstallingPreludeLml|Prelude LML]] 6. [[InstallingPreludePrewikka|Prewikka]] 3. [[InstallingPackage|Installation from packages]] 4. [[AgentsInstallation|Agents Installation]] 1. [[InstallingAgentRegistration|Agents Registration]] 2. [[InstallingAgentThirdparty|3rd Party Agents Installation]] 3. Configuration 1. [[ConfigurationGeneral|General Configuration]] 2. [[PreludeComponentsConfiguration|Prelude Components Configuration]] 1. [[PreludeManager|Prelude-Manager]] 2. [[PreludeCorrelator|Prelude-Correlator]] 3. [[PreludeLml|Prelude-LML]] 4. [[PreludeImport|Prelude-Import]] 3. [[HowtoHACentralServices|Howto Configure High Availability Central Services]] 4. Optimisation 1. [[DatabaseOptimisation|Database Optimisation]] 5. User Manuals 1. [[ManualPrewikka|Prewikka Manual]] 2. [[ManualPreludeAdmin|Prelude-Admin Manual]] 3. [[ManualPreludeDbAdmin|PreludeDB-Admin Manual]] 6. Development 1. [[DevelopmentGuidelines|Development guidelines]] 2. [[SourceOrganization|Source
  • An Efficient Intrusion Detection System for Networks with Centralized

    An Efficient Intrusion Detection System for Networks with Centralized

    An Efficient Intrusion Detection System for Networks with Centralized Routing Paulo Filipe Canha de Andrade Dissertação para obtenção de Grau de Mestre em Engenharia Informática e de Computadores Júri Presidente: Prof. Luis Eduardo Teixeira Rodrigues Orientador: Prof. Fernando Henrique Corte Real Mira da Silva Co-orientador: Prof. Carlos Nuno da Cruz Ribeiro Vogais: Prof. Rodrigo Seromenho Miragaia Rodrigues Setembro de 2007 Abstract As Internet becomes more and more ubiquitous, security is an increasingly important topic. Furthermore, private networks are expanding and security threats from within the network have to be cautioned. For these large networks, which are generally high-speed and with several segments, Intrusion Detection System (IDS) placement usually comes down to a compromise between investment and monitoring ability. One common solution in these cases, is to use more than one IDS scattered across the network, thus raising the amount invested and administrative power to operate. Another solution is to collect data through sensors and send it to one IDS via an Ethernet hub or switch. This option normally tends to overload the hub/switch port where the IDS is connected. This document presents a new solution, for networks with a star topology, where a single IDS is coupled to the network’s core router. This solution allows the IDS to monitor every different network segment attached to the router in a round-robin fashion. Practical implementation issues and operational implications of this solution are also analyzed and discussed. Keywords: Intrusion Detection Systems,Security Analysis, High-speed Networks, Switch-based Networks. i Resumo À medida que a Internet se torna cada vez mais acessível, a segurança é cada vez mais um tópico muito importante.
  • U|Xahbeigy03102ozxv+:'

    U|Xahbeigy03102ozxv+:'

    U|xaHBEIGy03102ozXv+:' LINUX JOURNAL STORAGE RAID | LVM2 | Kioslaves | Fish | Konqueror | SSHFS | Tripwire | Gambas JUNE 2006 ISSUE 146 JUNE 2006 CONTENTS Issue 146 storage FEATURES 52 RECOVERY OF RAID AND LVM2 VOLUMES 64 SSHFS: SUPER EASY FILE ACCESS OVER SSH When there’s something strange in your LVM, who you gonna call? SSH does more than just provide safe communications. Richard Bullington-McGuire Matthew E. Hoskins 58 NETWORK TRANSPARENCY WITH KIO ON THE COVER Konqueror is a slave to fishing. Or at least it has one. • Dual Booting with Finesse, p. 89 Jes Hall • RAID and LVM2 Data Recovery, p. 52 62 YELLOW DOG LINUX INSTALLS NEATLY ON AN IPOD • SSH Is Not Just a Secure Shell, p. 64 Take one Mac, insert iPod, boot Linux. • Fish for Data with KIO, p. 58 Dave Taylor • Boot Linux with an iPod, p. 62 COVER PHOTO: JOHN LAMB/STONE+/GETTY IMAGES 2 | june 2006 www.linuxjournal.com JUNE 2006 CONTENTS Issue 146 COLUMNS INDEPTH 24 REUVEN M. LERNER’S 68 AN INTRODUCTION TO GAMBAS AT THE FORGE Will VB refugees gamble on Gambas? Google Maps Mark Alexander Bain 28 MARCEL GAGNÈ’S COOKING WITH LINUX If Only You Could Restore Wine 34 DAVE TAYLOR’S WORK THE SHELL Coping with Aces 38 MICK BAUER’S PARANOID PENGUIN Security Features in Red Hat Enterprise 4 76 HOW TO SET UP 89 THE ULTIMATE LINUX/WINDOWS SYSTEM AND USE TRIPWIRE Don’t let intruders go unnoticed. Marco Fioretti 80 THE WORLD IS Next Month A LIBFERRIS FILESYSTEM libferris can make your toaster look like a filesystem.
  • Towards Least Privilege Principle: Limiting Unintended Accesses in Software Systems

    Towards Least Privilege Principle: Limiting Unintended Accesses in Software Systems

    Towards Least Privilege Principle: Limiting Unintended Accesses in Software Systems by Beng Heng Ng A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy (Computer Science and Engineering) in The University of Michigan 2013 Doctoral Committee: Professor Atul Prakash, Chair Professor Kang G. Shin Associate Professor Vineet R. Kamat Associate Professor Zijiang James Yang c Beng Heng Ng 2013 All Rights Reserved For my wife, Haoyi, and daughter, Reann. ii ACKNOWLEDGEMENTS The journey towards writing this thesis had not been an easy one, and I will forever be indebted to the kind people around me for their guidance and support. This thesis would not have materialize without the unrelenting support, enormous patience, and encouragement of my advisor, Prof. Atul Prakash. He has taught me the importance of rigorous research methodologies, critical thinking, as well as the need to always keep an open mind. His advice was not limited to science, but also included life, especially during one of the most challenging periods in my life. I am also extremely grateful to Prof. Shin, Prof. Kamat, and Prof. Yang, for their invaluable suggestions, perspectives and insights, which have helped shape this thesis. I also thank my previous and current colleagues, Billy Lau, Hu Xin, Alex Crowell, Earlence Fernandes, and Ajit Aluri, for the numerous intense and thought-provoking discussions. I gratefully acknowledge the funding provided by the Government of Singapore, thus allowing me to focus on my research that leads to this thesis. Above all, I would like to thank my wife, Hao Yi, for putting her dreams on hold so that I can go after mine.
  • Unix Administration

    Unix Administration

    Unix Administration Guntis Barzdins Linux System Administration SYS ADMIN TASKS Setting the Run Level System Services User Management Network Settings Scheduling Jobs Quota Management Backup and Restore Adding and Removing software/packages Setting a Printer Monitoring the system (general, logs) Monitoring any specific services running. Eg. DNS, DHCP, Web, NIS, NPT, Proxy etc. Have you used UNIX before? • Which OS did Apple choose when it needed a stable OS layer for its Mac OSX? • Which OS made the biggest impact to the online lives as you know it today? Process Manipulation Once you run a program (e.g. vi, myprog,...), that program will suspend the terminal you called it in (the terminal will not be receiving input from you). You can start the program in the background to avoid this: myprog & You can suspend a program that is running and send it to background, if you already started it: Ctrl-z (to suspend) bg (sends the suspended program to the background) ps (show running processes) top (monitor running processes) kill (kill processes) & (send process to background) bg (send process to background) fg (get process from background) Ctrl+c (terminate process) C l+ ( d ) Intrusion Detection System (IDS) Open Source Tripwire – is a file integrity- checking program for UNIX/Linux operating systems Host-based Software that alerts you when important files change Tripwire keeps a hash value for each designated file When a file is altered/deleted, tripwire will have a new hash value that is different than the original Replaced by more advanced HIDS: OSSEC, Samhain, AIDE Tripwire tutorial in a slide Initial setup download / build / install it modify policy file (e.g.
  • Effectiveness of Linux Rootkit Detection Tools

    Effectiveness of Linux Rootkit Detection Tools

    Effectiveness of Linux Rootkit Detection Tools University of Oulu Faculty of Information Technology and Electrical Engineering Degree Programme in Information Processing Sciences Master’s Thesis Juho Junnila 27.3.2020 2 Abstract Rootkits – a type of software that specializes in hiding entities in computer systems while enabling continuous control or access to it – are particularly difficult to detect compared to other kinds of software. Various tools exist for detecting rootkits, utilizing a wide variety of detection techniques and mechanisms. However, the effectiveness of such tools is not well established, especially in contemporary academic research and in the context of the Linux operating system. This study carried out an empirical evaluation of the effectiveness of five tools with capabilities to detect Linux rootkits: OSSEC, AIDE, Rootkit Hunter, Chkrootkit and LKRG. The effectiveness of each tool was tested by injecting 15 publicly available rootkits in individual detection tests in virtual machines running Ubuntu 16.04, executing the detection tool and capturing its results for analysis. A total of 75 detection tests were performed. The results showed that only 37.3% of the detection tests provided any indication of a rootkit infection or suspicious system behaviour, with the rest failing to provide any signs of anomalous behaviour. However, combining the findings of multiple detection tools increased the overall detection rate to 93.3%, as all but a single rootkit were discovered by at least one tool. Variation was observed in the effectiveness of the detection tools, with detection rates ranging from 13.3% to 53.3%. Variation in detection effectiveness was also found between categories of rootkits, as the overall detection rate was 46.7% for user mode rootkits and 31.1% for kernel mode rootkits.