User Activities Monitoring System Using Lkm

Total Page:16

File Type:pdf, Size:1020Kb

User Activities Monitoring System Using Lkm USER ACTIVITIES MONITORING SYSTEM USING LKM Bhaumik Patel B.E., Sardar Patel University, INDIA, 2008 PROJECT Submitted in partial satisfaction of the requirements for the degree of MASTER OF SCIENCE in COMPUTER SCIENCE at CALIFORNIA STATE UNIVERSITY, SACRAMENTO FALL 2011 USER ACTIVITIES MONITORING SYSTEM USING LKM A Project By Bhaumik Patel Approved by: __________________________________, Committee Chair Jinsong Ouyang, Ph.D. __________________________________, Second Reader Chung-E Wang, Ph.D. __________________________________ Date ii Student: Bhaumik Patel I certify that this student has met the requirements for format contained in the University format manual, and that this project is suitable for shelving in the Library and credit is to be awarded for the Project. __________________________, Graduate Coordinator ________________ Nikrouz Faroughi, Ph.D. Date Department of Computer Science iii Abstract of USER ACTIVITIES MONITORING SYSTEM USING LKM by Bhaumik Patel Security is one of the major challenge while single machine is shared among multiple users. Linux is the operating system which supports multiple users. All the users can have access to different files in the system and they can access the file using local machine or the network connection. Any inappropriate action by some user can cause system failure or some unexpected troubles. All the activities by different users must be monitored in order to identify the exact reason for system failure and the user who is responsible for that. In the operating system, system call is the only window for a user process to get into the kernel and access different resources provided by the kernel. Linux Security Module (LSM) is a Loadable Kernel Module(LKM) which intercept the file i/o system calls and network i/o system calls in order to log the valuable information. It adds a layer between the user process and actual system call by replacing the actual system call with spy system call. The LSM supports 32 bit machine and older version of the kernel. As 64 bit machines are common today, LSM is required to be ported on a 64 bit machine with the latest version of kernel source. To port the actual LSM on latest hardware and latest iv kernel, changes are required and LSM need to be upgraded based on current system call structure. User activities monitoring system using LKM includes upgraded LSM as system layer utility. This is required to hack the file i/o and network i/o and to generate the log files based on gathered information. And as application layer utility it also includes automation system , which required to filter the data from log file and insert that data into the database. It also has a GUI based web interface to query the data in the database and to generate the report for system administrator. The entire system will be really helpful to monitor user activities both on local machine as well as on the network. Using this tool, the administrator of the system can trace the file i/o and network i/o, so in case the system goes down, the admin can investigate about the activities done by different users. And can explore the actual reason for crash. , Committee Chair Jinsong Ouyang, Ph.D. _________________________ Date v DEDICATION Dedicated to my loving parents who inspired me to work hard and my brother for his constant support. vi ACKNOWLEDGMENTS I would like to thank everyone who encourage and motivate me throughout Master’s Project. I am grateful to Dr. Jinsong Ouyang for his constant guidance and useful advices all the time. He helped me a lot in identifying different problems and to build the solution step by step. He also provided me reading materials like books, published papers etc. to explore the Linux kernel even more. At the same time, I would also like to thank Prof. Chung-E Wang for being a driving force for my interest in different algorithms and providing me continuous support. Furthermore, I would also like to thank the entire Linux Kernel Developers community. This community has helped me a lot by providing me guidance on kernel module development. Linux developers around the world are really active at providing answers in discussion forum and it always helped me to solve different problems. In the end, I would like to thank my parents and all my friends for giving me full support and motivation in completion of the project. vii TABLE OF CONTENTS Page Dedication .................................................................................................................... vi Acknowledgments....................................................................................................... vii List of Tables ............................................................................................................... ix List of Figures ...............................................................................................................x Chapter 1. INTRODUCTION ....................................................................................................1 1.1 Overview ..........................................................................................................1 1.2 Objectives ........................................................................................................2 2. LOADABLE KERNEL MODULE (LKM) ..............................................................4 2.1 What is LKM? .................................................................................................4 2.2 Basic Structure of LKM ...................................................................................5 2.3 System Call ......................................................................................................7 2.4 LSM (Linux Security Module) ........................................................................8 2.5 Porting .............................................................................................................9 3. KERNEL INSTRUMENTATION FOR MONITORING FILE I/O AND NETWORK I/O…... ................................................................................................11 3.1 System part overview ....................................................................................11 3.2 Basic pseudo code for LKM ..........................................................................11 3.3 Locating System call Table ..........................................................................12 viii 3.4 Overwriting the addresses of system call ......................................................17 3.5 Writing a new system call ..............................................................................19 3.6 Cleanup part of the module ............................................................................28 3.7 Output of phase-I ...........................................................................................29 4. A WEB-BASED APPLICATION FOR MONITORING FILE I/O AND NETWORK I/O ......................................................................................................30 4.1 Why filtering is required? ..............................................................................30 4.2 Automation Schema .......................................................................................31 4.3 Filtering script ................................................................................................32 4.4 Insert data script .............................................................................................35 4.5 Database design .............................................................................................37 4.6 Web interface ................................................................................................37 5. SUMMARY ............................................................................................................39 5.1 Summary ........................................................................................................39 6. FUTURE WORK ....................................................................................................40 6.1 Future work ....................................................................................................40 References ................................................................................................................... 41 ix LIST OF TABLES Page Table 1 System calls related to file i/o and network i/o ................................................2 Table 2 LKM commands and their functionality ..........................................................6 Table 3 Comparison of system call structure between 32 and 64 bit machine ...........10 Table 4 System calls and corresponding system call numbers ...................................13 Table 5 Information captured by hacking file i/o and network i/o .............................37 x LIST OF FIGURES Page Figure 1 Overall structure of system and position of system call ................................. 7 Figure 2 Automation schema ...................................................................................... 31 Figure 3 Screenshot of Form to query the database .................................................... 38 Figure 4 Screenshot of result of query ........................................................................ 38 xi 1 Chapter 1 INTRODUCTION 1.1 Overview Linux is a multi-user operating system. Many different users can share a single Linux machine and can access the machine locally or through the network. In the Linux, all the file system requests and network
Recommended publications
  • Glibc and System Calls Documentation Release 1.0
    Glibc and System Calls Documentation Release 1.0 Rishi Agrawal <[email protected]> Dec 28, 2017 Contents 1 Introduction 1 1.1 Acknowledgements...........................................1 2 Basics of a Linux System 3 2.1 Introduction...............................................3 2.2 Programs and Compilation........................................3 2.3 Libraries.................................................7 2.4 System Calls...............................................7 2.5 Kernel.................................................. 10 2.6 Conclusion................................................ 10 2.7 References................................................ 11 3 Working with glibc 13 3.1 Introduction............................................... 13 3.2 Why this chapter............................................. 13 3.3 What is glibc .............................................. 13 3.4 Download and extract glibc ...................................... 14 3.5 Walkthrough glibc ........................................... 14 3.6 Reading some functions of glibc ................................... 17 3.7 Compiling and installing glibc .................................... 18 3.8 Using new glibc ............................................ 21 3.9 Conclusion................................................ 23 4 System Calls On x86_64 from User Space 25 4.1 Setting Up Arguements......................................... 25 4.2 Calling the System Call......................................... 27 4.3 Retrieving the Return Value......................................
    [Show full text]
  • The Linux Kernel Module Programming Guide
    The Linux Kernel Module Programming Guide Peter Jay Salzman Michael Burian Ori Pomerantz Copyright © 2001 Peter Jay Salzman 2007−05−18 ver 2.6.4 The Linux Kernel Module Programming Guide is a free book; you may reproduce and/or modify it under the terms of the Open Software License, version 1.1. You can obtain a copy of this license at http://opensource.org/licenses/osl.php. This book is distributed in the hope it will be useful, but without any warranty, without even the implied warranty of merchantability or fitness for a particular purpose. The author encourages wide distribution of this book for personal or commercial use, provided the above copyright notice remains intact and the method adheres to the provisions of the Open Software License. In summary, you may copy and distribute this book free of charge or for a profit. No explicit permission is required from the author for reproduction of this book in any medium, physical or electronic. Derivative works and translations of this document must be placed under the Open Software License, and the original copyright notice must remain intact. If you have contributed new material to this book, you must make the material and source code available for your revisions. Please make revisions and updates available directly to the document maintainer, Peter Jay Salzman <[email protected]>. This will allow for the merging of updates and provide consistent revisions to the Linux community. If you publish or distribute this book commercially, donations, royalties, and/or printed copies are greatly appreciated by the author and the Linux Documentation Project (LDP).
    [Show full text]
  • System Calls
    System Calls What are they? ● Standard interface to allow the kernel to safely handle user requests – Read from hardware – Spawn a new process – Get current time – Create shared memory ● Message passing technique between – OS kernel (server) – User (client) Executing System Calls ● User program issues call ● Core kernel looks up call in syscall table ● Kernel module handles syscall action ● Module returns result of system call ● Core kernel forwards result to user Module is not Loaded... ● User program issues call ● Core kernel looks up call in syscall table ● Kernel module isn't loaded to handle action ● ... ● Where does call go? System Call Wrappers ● Wrapper calls system call if loaded – Otherwise returns an error ● Needs to be in a separate location so that the function can actually be called – Uses function pointer to point to kernel module implementation Adding System Calls ● You'll need to add and implement: – int start_elevator(void); – int issue_request(int, int, int); – int stop_elevator(void); ● As an example, let's add a call to printk an argument passed in: – int test_call(int); Adding System Calls ● Files to add (project files): – /usr/src/test_kernel/hello_world/test_call.c – /usr/src/test_kernel/hello_world/hello.c – /usr/src/test_kernel/hello_world/Makefile ● Files to modify (core kernel): – /usr/src/test_kernel/arch/x86/entry/syscalls/syscall_64.tbl – /usr/src/test_kernel/include/linux/syscalls.h – /usr/src/test_kernel/Makefile hello_world/test_call.c ● #include <linux/linkage.h> ● #include <linux/kernel.h> ● #include
    [Show full text]
  • Proceedings of the Linux Symposium
    Proceedings of the Linux Symposium Volume One June 27th–30th, 2007 Ottawa, Ontario Canada Contents The Price of Safety: Evaluating IOMMU Performance 9 Ben-Yehuda, Xenidis, Mostrows, Rister, Bruemmer, Van Doorn Linux on Cell Broadband Engine status update 21 Arnd Bergmann Linux Kernel Debugging on Google-sized clusters 29 M. Bligh, M. Desnoyers, & R. Schultz Ltrace Internals 41 Rodrigo Rubira Branco Evaluating effects of cache memory compression on embedded systems 53 Anderson Briglia, Allan Bezerra, Leonid Moiseichuk, & Nitin Gupta ACPI in Linux – Myths vs. Reality 65 Len Brown Cool Hand Linux – Handheld Thermal Extensions 75 Len Brown Asynchronous System Calls 81 Zach Brown Frysk 1, Kernel 0? 87 Andrew Cagney Keeping Kernel Performance from Regressions 93 T. Chen, L. Ananiev, and A. Tikhonov Breaking the Chains—Using LinuxBIOS to Liberate Embedded x86 Processors 103 J. Crouse, M. Jones, & R. Minnich GANESHA, a multi-usage with large cache NFSv4 server 113 P. Deniel, T. Leibovici, & J.-C. Lafoucrière Why Virtualization Fragmentation Sucks 125 Justin M. Forbes A New Network File System is Born: Comparison of SMB2, CIFS, and NFS 131 Steven French Supporting the Allocation of Large Contiguous Regions of Memory 141 Mel Gorman Kernel Scalability—Expanding the Horizon Beyond Fine Grain Locks 153 Corey Gough, Suresh Siddha, & Ken Chen Kdump: Smarter, Easier, Trustier 167 Vivek Goyal Using KVM to run Xen guests without Xen 179 R.A. Harper, A.N. Aliguori & M.D. Day Djprobe—Kernel probing with the smallest overhead 189 M. Hiramatsu and S. Oshima Desktop integration of Bluetooth 201 Marcel Holtmann How virtualization makes power management different 205 Yu Ke Ptrace, Utrace, Uprobes: Lightweight, Dynamic Tracing of User Apps 215 J.
    [Show full text]
  • Container-Based Virtualization for Byte-Addressable NVM Data Storage
    2016 IEEE International Conference on Big Data (Big Data) Container-Based Virtualization for Byte-Addressable NVM Data Storage Ellis R. Giles Rice University Houston, Texas [email protected] Abstract—Container based virtualization is rapidly growing Storage Class Memory, or SCM, is an exciting new in popularity for cloud deployments and applications as a memory technology with the potential of replacing hard virtualization alternative due to the ease of deployment cou- drives and SSDs as it offers high-speed, byte-addressable pled with high-performance. Emerging byte-addressable, non- volatile memories, commonly called Storage Class Memory or persistence on the main memory bus. Several technologies SCM, technologies are promising both byte-addressability and are currently under research and development, each with dif- persistence near DRAM speeds operating on the main memory ferent performance, durability, and capacity characteristics. bus. These new memory alternatives open up a new realm of These include a ReRAM by Micron and Sony, a slower, but applications that no longer have to rely on slow, block-based very large capacity Phase Change Memory or PCM by Mi- persistence, but can rather operate directly on persistent data using ordinary loads and stores through the cache hierarchy cron and others, and a fast, smaller spin-torque ST-MRAM coupled with transaction techniques. by Everspin. High-speed, byte-addressable persistence will However, SCM presents a new challenge for container-based give rise to new applications that no longer have to rely on applications, which typically access persistent data through slow, block based storage devices and to serialize data for layers of block based file isolation.
    [Show full text]
  • Demarinis Kent Williams-King Di Jin Rodrigo Fonseca Vasileios P
    sysfilter: Automated System Call Filtering for Commodity Software Nicholas DeMarinis Kent Williams-King Di Jin Rodrigo Fonseca Vasileios P. Kemerlis Department of Computer Science Brown University Abstract This constant stream of additional functionality integrated Modern OSes provide a rich set of services to applications, into modern applications, i.e., feature creep, not only has primarily accessible via the system call API, to support the dire effects in terms of security and protection [1, 71], but ever growing functionality of contemporary software. How- also necessitates a rich set of OS services: applications need ever, despite the fact that applications require access to part of to interact with the OS kernel—and, primarily, they do so the system call API (to function properly), OS kernels allow via the system call (syscall) API [52]—in order to perform full and unrestricted use of the entire system call set. This not useful tasks, such as acquiring or releasing memory, spawning only violates the principle of least privilege, but also enables and terminating additional processes and execution threads, attackers to utilize extra OS services, after seizing control communicating with other programs on the same or remote of vulnerable applications, or escalate privileges further via hosts, interacting with the filesystem, and performing I/O and exploiting vulnerabilities in less-stressed kernel interfaces. process introspection. To tackle this problem, we present sysfilter: a binary Indicatively, at the time of writing, the Linux
    [Show full text]
  • Secure Cloud Storage with Client-Side Encryption Using a Trusted Execution Environment
    Secure Cloud Storage with Client-side Encryption using a Trusted Execution Environment Marciano da Rocha1 a, Dalton Cezane´ Gomes Valadares2;4 b, Angelo Perkusich3 c, Kyller Costa Gorgonio4 d, Rodrigo Tomaz Pagno1 e and Newton Carlos Will1 f 1Department of Computer Science, Federal University of Technology, Parana,´ Dois Vizinhos, Brazil 2Department of Mechanical Engineering, Federal Institute of Pernambuco, Caruaru, Brazil 3Department of Electrical Engineering, Federal University of Campina Grande, Campina Grande, Brazil 4Department of Computer Science, Federal University of Campina Grande, Campina Grande, Brazil Keywords: Intel SGX, Data Sealing, File Encryption, Confidentiality, Integrity, Secure Storage, Cloud Storage. Abstract: With the evolution of computer systems, the amount of sensitive data to be stored as well as the number of threats on these data grow up, making the data confidentiality increasingly important to computer users. Currently, with devices always connected to the Internet, the use of cloud data storage services has become practical and common, allowing quick access to such data wherever the user is. Such practicality brings with it a concern, precisely the confidentiality of the data which is delivered to third parties for storage. In the home environment, disk encryption tools have gained special attention from users, being used on personal computers and also having native options in some smartphone operating systems. The present work uses the data sealing, feature provided by the Intel Software Guard Extensions (Intel SGX) technology, for file encryption. A virtual file system is created in which applications can store their data, keeping the security guarantees provided by the Intel SGX technology, before send the data to a storage provider.
    [Show full text]
  • Detecting Exploit Code Execution in Loadable Kernel Modules
    Detecting Exploit Code Execution in Loadable Kernel Modules HaizhiXu WenliangDu SteveJ.Chapin Systems Assurance Institute Syracuse University 3-114 CST, 111 College Place, Syracuse, NY 13210, USA g fhxu02, wedu, chapin @syr.edu Abstract and pointer checks can lead to kernel-level exploits, which can jeopardize the integrity of the running kernel. Inside the In current extensible monolithic operating systems, load- kernel, exploitcode has the privilegeto interceptsystem ser- able kernel modules (LKM) have unrestricted access to vice routines, to modify interrupt handlers, and to overwrite all portions of kernel memory and I/O space. As a result, kernel data. In such cases, the behavior of the entire sys- kernel-module exploitation can jeopardize the integrity of tem may become suspect. the entire system. In this paper, we analyze the threat that Kernel-level protection is different from user space pro- comes from the implicit trust relationship between the oper- tection. Not every application-level protection mechanism ating system kernel and loadable kernel modules. We then can be applied directly to kernel code, because privileges present a specification-directed access monitoring tool— of the kernel environment is different from that of the user HECK, that detects kernel modules for malicious code ex- space. For example, non-executableuser page [21] and non- ecution. Inside the module, HECK prevents code execution executable user stack [29] use virtual memory mapping sup- on the kernel stack and the data sections; on the bound- port for pages and segments, but inside the kernel, a page ary, HECK restricts the module’s access to only those kernel or segment fault can lead to kernel panic.
    [Show full text]
  • DM-Relay - Safe Laptop Mode Via Linux Device Mapper
    ' $ DM-Relay - Safe Laptop Mode via Linux Device Mapper Study Thesis by cand. inform. Fabian Franz at the Faculty of Informatics Supervisor: Prof. Dr. Frank Bellosa Supervising Research Assistant: Dipl.-Inform. Konrad Miller Day of completion: 04/05/2010 &KIT – Universitat¨ des Landes Baden-Wurttemberg¨ und nationales Forschungszentrum in der Helmholtz-Gemeinschaft www.kit.edu % I hereby declare that this thesis is my own original work which I created without illegitimate help by others, that I have not used any other sources or resources than the ones indicated and that due acknowledgment is given where reference is made to the work of others. Karlsruhe, April 5th, 2010 Contents Deutsche Zusammenfassung xi 1 Introduction 1 1.1 Problem Definition . .1 1.2 Objectives . .1 1.3 Methodology . .1 1.4 Contribution . .2 1.5 Thesis Outline . .2 2 Background 3 2.1 Problems of Disk Power Management . .3 2.2 State of the Art . .4 2.3 Summary of this chapter . .8 3 Analysis 9 3.1 Pro and Contra . .9 3.2 A new approach . 13 3.3 Analysis of Proposal . 15 3.4 Summary of this chapter . 17 4 Design 19 4.1 Common problems . 19 4.2 System-Design . 21 4.3 Summary of this chapter . 21 5 Implementation of a dm-module for the Linux kernel 23 5.1 System-Architecture . 24 5.2 Log suitable for Flash-Storage . 28 5.3 Using dm-relay in practice . 31 5.4 Summary of this chapter . 31 vi Contents 6 Evaluation 33 6.1 Methodology . 33 6.2 Benchmarking setup .
    [Show full text]
  • Vnios Deployment on KVM January 2019
    Deployment Guide vNIOS deployment on KVM January 2019 TABLE OF CONTENTS Overview .............................................................................................................................................. 3 Introduction ........................................................................................................................................ 3 vNIOS for KVM ................................................................................................................................... 3 vNIOS deployment on KVM ................................................................................................................ 3 Preparing the environment ................................................................................................................. 3 Installing KVM and Bridge utilities ...................................................................................................... 3 Creating various types networks ........................................................................................................ 5 Downloading vNIOS QCOW2 image ................................................................................................. 8 Copying vNIOS qcow2 image .......................................................................................................... 10 Deploying vNIOS with Bridge Networking........................................................................................ 11 Deploying vNIOS through xml file with Bridge Networking .............................................................
    [Show full text]
  • The Evolution of the Unix Time-Sharing System*
    The Evolution of the Unix Time-sharing System* Dennis M. Ritchie Bell Laboratories, Murray Hill, NJ, 07974 ABSTRACT This paper presents a brief history of the early development of the Unix operating system. It concentrates on the evolution of the file system, the process-control mechanism, and the idea of pipelined commands. Some attention is paid to social conditions during the development of the system. NOTE: *This paper was first presented at the Language Design and Programming Methodology conference at Sydney, Australia, September 1979. The conference proceedings were published as Lecture Notes in Computer Science #79: Language Design and Programming Methodology, Springer-Verlag, 1980. This rendition is based on a reprinted version appearing in AT&T Bell Laboratories Technical Journal 63 No. 6 Part 2, October 1984, pp. 1577-93. Introduction During the past few years, the Unix operating system has come into wide use, so wide that its very name has become a trademark of Bell Laboratories. Its important characteristics have become known to many people. It has suffered much rewriting and tinkering since the first publication describing it in 1974 [1], but few fundamental changes. However, Unix was born in 1969 not 1974, and the account of its development makes a little-known and perhaps instructive story. This paper presents a technical and social history of the evolution of the system. Origins For computer science at Bell Laboratories, the period 1968-1969 was somewhat unsettled. The main reason for this was the slow, though clearly inevitable, withdrawal of the Labs from the Multics project. To the Labs computing community as a whole, the problem was the increasing obviousness of the failure of Multics to deliver promptly any sort of usable system, let alone the panacea envisioned earlier.
    [Show full text]
  • Lab 1: Loadable Kernel Modules (Lkms)
    Lab 1: Loadable Kernel Modules (LKMs) Overview For this lab, we will be interfacing with an LCD screen using the Phytec board. This means we will be creating device drivers for our system to allow it to interact with our hardware. Since our board is running Linux­­ which is a pretty advanced operating system for most embedded devices­­ we will want to accomplish this by appending additional functionality to the working kernel. This is done using loadable kernel modules. Background Before we get too far, here is some important information we will need to know in order to interact with the Linux kernel and perform the functions we want. To write device drivers we must first understand what they are. There are three main types of device drivers; character, block, and network. In this class, we will be writing character device drivers. A character device driver is one that transfers data directly to and from a user process. This is the most common type of device driver. Character device drivers normally perform I/O in a byte stream. They can also provide additional interfaces not present in block drivers, such as I/O control commands, memory mapping, and device polling. Drivers that support a file system are known as block device drivers. Block ​ device drivers take a file system request, in the form of a buffer structure, and issue the ​ I/O operations to the disk to transfer the specified block. Block device drivers can also provide a character driver interface that allows utility programs to bypass the file system and access the device directly.
    [Show full text]