<p>To Bianca, for being who you are. </p><p>Abstract </p><p>Kernel-mode rootkits have gained a considerable momentum within the blackhat community. They represent a considerable threat to any computer system, as they provide an intruder with the ability to hide the presence of his malicious activity. These rootkits make changes to the operating system’s kernel, thereby providing particularly stealthy hiding techniques. </p><p>Considering the kernel rootkit threat and other threats, the collection of reliable information from a compromised system becomes a central problem within the domain of computer security. This thesis addresses this problem. It looks at the possibility of using virtualization as a means to facilitate kernel-mode rootkit detection through integrity checking. </p><p>The thesis describes several areas within the Linux kernel, which are commonly subverted by kernel-mode rootkits. It introduces the reader to the concept of virtualization and describes several technologies employing virtualization. The kernel-mode rootkit threat is then addressed through a description of their hiding methodologies. Some of the existing methods for malware detection are also addressed and analysed. </p><p>A number of general requirements, which need to be satisfied by a general model enabling kernel-mode rootkit detection, are identified. A model addressing these requirements is suggested, and a framework implementing the model is set-up. The detection capabilities of the framework are tested on a couple of rootkits. </p><p>iii </p><p>Preface </p><p>This report presents the results of my master thesis “Integrity checking of operating systems with respect to kernel level malware”. It is written as part of the Master degree (Sivilingeniør) in Computer Science at the Norwegian University of Science and Technology (NTNU), during Spring 2005. The work presented is based on a problem presented by the Computer Network Operations project (CNO857), a research project conducted at the Norwegian Defence Research Establishment (FFI). The work has been conducted at their facilities. </p><p>The work done during this semester has been challenging, instructive and interesting. My knowledge on the researched area was limited before I started my work. I had a limited knowledge to operating systems and Linux in particular. No knowledge of virtual machines, integrity checking and rootkits, and my C-programming skills where almost non existent. Hence, working with these new environments and technologies has thought me a lot, and I feel as though I have increased my platform as a computer scientist. </p><p>I would like to take this opportunity to thank my supervisor, Ane Daae Weng, for providing valuable guidance and feedback through all phases of this project. I would also like to thank professor Mads Nyg˚ard for useful input and support. Camilla Olsen and Espen Aarnes for correctional reading, and other feedback. Further, I would like to thank Tal Garfinkel for quick responses to my emails and his valuable advises on virtual machines. A special thanks is addressed to my fellow students Audun Simonsen and Oddvar Aarseth whom I have been sharing office with. Their support as discussion partners and frustration relieves has been invaluable. </p><p>Tobias Melcher <br>Kjeller, June 22, 2005 v</p><p>Acronyms </p><p>AIDE API </p><p>Advanced Intrusion Detection Environment Application Programmer Interface Community Public License </p><p>CPL CPU DNS ELF </p><p>Central Processing Unit Domain Name System Executable and Linking Format Norwegian Defence Research Establishment General Public License </p><p>FFI GPL HIDS IDS </p><p>Host-based Intrusion Detection System Intrusion Detection System Interrupt Descriptor Table </p><p>IDT LGPL LKM MMU NIC </p><p>Lesser General Public License Loadable Kernel Module Memory Management Unit Network Interface Card </p><p>NIDS </p><p>Network-based Intrusion Detection System <br>NTNU Norwegian University of Science and Technology </p><p>OS </p><p>Operating System User-mode Linux </p><p>UML </p><p>vii </p><p></p><ul style="display: flex;"><li style="flex:1">viii </li><li style="flex:1">Acronyms </li></ul><p></p><p>VFS VM </p><p>Virtual File System Switch Virtual Machine </p><p>VMM VMI </p><p>Virtual Machine Monitor Virtual Machine Introspection </p><p>Table of Contents </p><p></p><ul style="display: flex;"><li style="flex:1">Abstract </li><li style="flex:1">iii </li></ul><p></p><ul style="display: flex;"><li style="flex:1">v</li><li style="flex:1">Preface </li></ul><p></p><ul style="display: flex;"><li style="flex:1">Acronyms </li><li style="flex:1">vii </li></ul><p></p><ul style="display: flex;"><li style="flex:1">ix </li><li style="flex:1">Table of Contents </li></ul><p>List of Figures List of Tables xv xvii </p><ul style="display: flex;"><li style="flex:1">1 Introduction </li><li style="flex:1">1</li></ul><p></p><p>12345667<br>1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Problem definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 Research questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4 Research methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5 Project scope and demarcation of assessment . . . . . . . . . . . . . . 1.6 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.7 Report outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . <br>1.7.1 Reader’s guide . . . . . . . . . . . . . . . . . . . . . . . . . . . </p><p></p><ul style="display: flex;"><li style="flex:1">2 The Linux kernel </li><li style="flex:1">9</li></ul><p></p><p></p><ul style="display: flex;"><li style="flex:1">2.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . </li><li style="flex:1">9</li></ul><p>2.2 Architectural overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.3 System calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 </p><ul style="display: flex;"><li style="flex:1">2.3.1 The system call table and the interrupt descriptor table (IDT) </li><li style="flex:1">13 </li></ul><p>2.3.2 System call invocation and lifecycle . . . . . . . . . . . . . . . . 13 <br>2.4 Memory management . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 <br>2.4.1 Memory organization . . . . . . . . . . . . . . . . . . . . . . . 16 </p><p>ix </p><p></p><ul style="display: flex;"><li style="flex:1">x</li><li style="flex:1">TABLE OF CONTENTS </li></ul><p></p><p>2.4.2 Virtual memory . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.4.3 Memory allocation . . . . . . . . . . . . . . . . . . . . . . . . . 18 <br>2.5 File system management . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.6 Loadable Kernel Modules (LKM) . . . . . . . . . . . . . . . . . . . . . 20 <br>2.6.1 Linking and unlinking modules . . . . . . . . . . . . . . . . . . 20 <br>2.7 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 </p><p></p><ul style="display: flex;"><li style="flex:1">3 The virtualization technology </li><li style="flex:1">23 </li></ul><p></p><p>3.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 3.2 Virtualization techniques . . . . . . . . . . . . . . . . . . . . . . . . . 24 <br>3.2.1 The virtual machine monitor (VMM) . . . . . . . . . . . . . . 24 3.2.2 Virtual environments . . . . . . . . . . . . . . . . . . . . . . . . 25 <br>3.3 Virtual machine technologies . . . . . . . . . . . . . . . . . . . . . . . 26 <br>3.3.1 Plex86 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 3.3.2 VMware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 3.3.3 Xen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 3.3.4 User-mode Linux (UML) . . . . . . . . . . . . . . . . . . . . . 29 <br>3.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 </p><p></p><ul style="display: flex;"><li style="flex:1">4 Rootkits </li><li style="flex:1">33 </li></ul><p></p><p>4.1 Trojan horse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 4.2 User-mode rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 4.3 Kernel-mode rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 <br>4.3.1 Loadable Kernel Modules (LKM) . . . . . . . . . . . . . . . . . 37 4.3.2 Patching the running kernel . . . . . . . . . . . . . . . . . . . . 39 4.3.3 Patching the kernel binary image . . . . . . . . . . . . . . . . . 40 4.3.4 Create a fraudulent virtual system . . . . . . . . . . . . . . . . 41 4.3.5 Running programs in kernel-mode . . . . . . . . . . . . . . . . 41 <br>4.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 </p><p></p><ul style="display: flex;"><li style="flex:1">5 Defending the Linux kernel </li><li style="flex:1">43 </li></ul><p></p><p>5.1 Protecting a Linux system . . . . . . . . . . . . . . . . . . . . . . . . . 43 5.2 Intrusion detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 5.3 Anomality detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 <br>5.3.1 File integrity checking . . . . . . . . . . . . . . . . . . . . . . . 46 5.3.2 Kernel integrity checking . . . . . . . . . . . . . . . . . . . . . 47 5.3.3 Detecting anomalities in program execution . . . . . . . . . . . 48 5.3.4 Network connections and activity . . . . . . . . . . . . . . . . . 49 </p><p></p><ul style="display: flex;"><li style="flex:1">TABLE OF CONTENTS </li><li style="flex:1">xi </li></ul><p></p><p>5.4 Signature detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 <br>5.4.1 Fingerprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 5.4.2 Characterising kernel-mode rootkits . . . . . . . . . . . . . . . 50 <br>5.5 Hardware-based detection . . . . . . . . . . . . . . . . . . . . . . . . . 50 5.6 Sandboxing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 <br>5.6.1 Virtual machine introspection (VMI) . . . . . . . . . . . . . . . 51 5.6.2 Intrusion detection in virtual environments . . . . . . . . . . . 51 <br>5.7 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 </p><p></p><ul style="display: flex;"><li style="flex:1">6 A model supporting kernel integrity checking </li><li style="flex:1">53 </li></ul><p></p><p>6.1 Motivating scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 <br>6.1.1 The MyOil scenario . . . . . . . . . . . . . . . . . . . . . . . . 54 6.1.2 Summarising and analysing the scenario . . . . . . . . . . . . . 56 <br>6.2 Model requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 <br>6.2.1 Properties of kernel level malware . . . . . . . . . . . . . . . . 58 6.2.2 Behaviour and support . . . . . . . . . . . . . . . . . . . . . . . 59 6.2.3 Provided services . . . . . . . . . . . . . . . . . . . . . . . . . . 60 <br>6.3 Overall description of the model . . . . . . . . . . . . . . . . . . . . . 60 <br>6.3.1 Component functionalities and responsibilities . . . . . . . . . 62 6.3.2 Main features . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 6.3.3 Comparison of the VMI architecture and the described model . 65 <br>6.4 Employing the model on the MyOil scenario . . . . . . . . . . . . . . . 66 </p><p></p><ul style="display: flex;"><li style="flex:1">7 Building a framework </li><li style="flex:1">69 </li></ul><p></p><p>7.1 Selecting a virtualization technology . . . . . . . . . . . . . . . . . . . 69 <br>7.1.1 Requirement coverage . . . . . . . . . . . . . . . . . . . . . . . 70 7.1.2 Other considerations . . . . . . . . . . . . . . . . . . . . . . . . 71 7.1.3 Open source evaluation . . . . . . . . . . . . . . . . . . . . . . 72 7.1.4 Summarizing the virtualization technology evaluation . . . . . 72 <br>7.2 Selecting an integrity checker . . . . . . . . . . . . . . . . . . . . . . . 73 <br>7.2.1 Requirement coverage . . . . . . . . . . . . . . . . . . . . . . . 73 7.2.2 Other considerations . . . . . . . . . . . . . . . . . . . . . . . . 75 7.2.3 Open source evaluation . . . . . . . . . . . . . . . . . . . . . . 75 7.2.4 Summarizing the integrity checker evaluation . . . . . . . . . . 75 <br>7.3 Framework setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 <br>7.3.1 Installing Xen . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 7.3.2 Running Xen . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 7.3.3 Installing and initialising Afick . . . . . . . . . . . . . . . . . . 79 </p><p></p><ul style="display: flex;"><li style="flex:1">xii </li><li style="flex:1">TABLE OF CONTENTS </li></ul><p></p><p>7.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 </p><p></p><ul style="display: flex;"><li style="flex:1">8 Applying the framework </li><li style="flex:1">83 </li></ul><p></p><p>8.1 Test setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 <br>8.1.1 Preparing the guest system . . . . . . . . . . . . . . . . . . . . 84 8.1.2 Installing and running Adore . . . . . . . . . . . . . . . . . . . 84 8.1.3 Installing and running Adore-ng . . . . . . . . . . . . . . . . . 84 8.1.4 Installing and running SucKIT . . . . . . . . . . . . . . . . . . 85 8.1.5 Final test setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 <br>8.2 Test results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 <br>8.2.1 Test 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 8.2.2 Test 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 8.2.3 Result summary . . . . . . . . . . . . . . . . . . . . . . . . . . 89 </p><p></p><ul style="display: flex;"><li style="flex:1">9 Discussion and evaluation </li><li style="flex:1">91 </li></ul><p></p><p>9.1 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 <br>9.1.1 Discussion of results . . . . . . . . . . . . . . . . . . . . . . . . 91 9.1.2 Discussion of the framework . . . . . . . . . . . . . . . . . . . . 92 9.1.3 Discussion of the model . . . . . . . . . . . . . . . . . . . . . . 94 <br>9.2 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 </p><p></p><ul style="display: flex;"><li style="flex:1">10 Conclusion and further work </li><li style="flex:1">99 </li></ul><p></p><p>10.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 <br>10.1.1 Important themes . . . . . . . . . . . . . . . . . . . . . . . . . 99 10.1.2 Contributions of this thesis . . . . . . . . . . . . . . . . . . . . 100 10.1.3 The future . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 <br>10.2 Further work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 <br>10.2.1 Implementing the model . . . . . . . . . . . . . . . . . . . . . . 101 10.2.2 Further research . . . . . . . . . . . . . . . . . . . . . . . . . . 101 </p><p></p><ul style="display: flex;"><li style="flex:1">Bibliography </li><li style="flex:1">103 </li></ul><p>109 113 <br>A Glossary B Rootkit examples </p><p>B.1 Subverting the VFS - Adore-ng . . . . . . . . . . . . . . . . . . . . . . 113 B.2 Patching /dev/kmem - SucKIT . . . . . . . . . . . . . . . . . . . . . . 115 </p><p></p><ul style="display: flex;"><li style="flex:1">C Rootkit detection tools </li><li style="flex:1">117 </li></ul><p></p><ul style="display: flex;"><li style="flex:1">TABLE OF CONTENTS </li><li style="flex:1">xiii </li></ul><p></p><ul style="display: flex;"><li style="flex:1">D Creating and running Loadable Kernel Modules (LKM) </li><li style="flex:1">119 </li></ul><p></p><p>D.1 LKM programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 D.2 LKM compilation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 </p><p></p><ul style="display: flex;"><li style="flex:1">E Notation </li><li style="flex:1">121 </li></ul><p></p><p>E.1 Notation used in the evaluation table . . . . . . . . . . . . . . . . . . . 121 E.2 False-positives and false-negatives . . . . . . . . . . . . . . . . . . . . . 123 </p><p>List of Figures </p><p></p><ul style="display: flex;"><li style="flex:1">1.1 Report overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . </li><li style="flex:1">8</li></ul><p>2.1 Intel x86 protection rings . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.2 Conceptual Linux architecture . . . . . . . . . . . . . . . . . . . . . . 11 2.3 System calls as an interface to hardware . . . . . . . . . . . . . . . . . 12 2.4 The Linux system call table . . . . . . . . . . . . . . . . . . . . . . . . 14 2.5 System call invocation in Linux . . . . . . . . . . . . . . . . . . . . . . 15 2.6 Reserved memory for the Linux kernel . . . . . . . . . . . . . . . . . . 17 2.7 The Linux virtual memory . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.8 The Linux file system . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.9 Loadable kernel module . . . . . . . . . . . . . . . . . . . . . . . . . . 21 </p><p>3.1 Virtual machine environments [30] . . . . . . . . . . . . . . . . . . . . 25 3.2 VMware architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 3.3 Xen architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 3.4 User-mode Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 </p><p>4.1 Comparison of user-mode and kernel-mode rootkits . . . . . . . . . . . 36 4.2 Loading an evil Loadable Kernel Module (LKM) . . . . . . . . . . . . 38 4.3 Runtime kernel patching . . . . . . . . . . . . . . . . . . . . . . . . . . 40 </p><p>6.1 Scenario: MyOil’s network . . . . . . . . . . . . . . . . . . . . . . . . . 54 6.2 Scenario: MyOil’s network under attack . . . . . . . . . . . . . . . . . 56 6.3 Overall system description . . . . . . . . . . . . . . . . . . . . . . . . . 61 6.4 Architectural overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 6.5 Employing the model on the scenario . . . . . . . . . . . . . . . . . . . 66 </p><p>7.1 Detection framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 7.2 The configuration file for the Fedora2 domain . . . . . . . . . . . . . . 79 7.3 Running Xen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 </p><p>xv </p><p></p><ul style="display: flex;"><li style="flex:1">xvi </li><li style="flex:1">LIST OF FIGURES </li></ul><p></p><p>8.1 Running SucKIT on the Fedora2 domain . . . . . . . . . . . . . . . . . 86 8.2 Running a modified SucKIT on the Fedora2 domain . . . . . . . . . . 86 8.3 The framework test setup . . . . . . . . . . . . . . . . . . . . . . . . . 87 8.4 Detecting Adore by comparison . . . . . . . . . . . . . . . . . . . . . . 88 8.5 Detecting the Adore rootkit with Afick . . . . . . . . . . . . . . . . . . 89 </p><p>B.1 The Adore user interface, Ava. . . . . . . . . . . . . . . . . . . . . . . 114 </p><p>List of Tables </p><p>3.1 Para-virtualizing the x86 architecture in Xen [5] . . . . . . . . . . . . 28 3.2 Running Linux in user-mode [17, 59] . . . . . . . . . . . . . . . . . . . 30 </p><p>5.1 Linux commands for anomality detection . . . . . . . . . . . . . . . . 45 6.1 General requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 7.1 Open source software evaluation . . . . . . . . . . . . . . . . . . . . . 72 7.2 Open source software evaluation . . . . . . . . . . . . . . . . . . . . . 75 7.3 Mapping the framework to the model of Chapter 6 . . . . . . . . . . . 81 </p><p>8.1 Mapping the test setup to the model of Chapter 6 . . . . . . . . . . . 86 9.1 Covering the general requirements . . . . . . . . . . . . . . . . . . . . 94 </p><p>xvii </p><p>Chapter 1 </p><p>Introduction </p><p>The theme of this master thesis is the use of integrity checking of the operating systems kernel to discover anomalities implying kernel level exploits. The focus will be on the Linux kernel and the detection of kernel-mode rootkits. </p><p>Section 1.1 outlines the motivation and importance of discovering malicious activity. Section 1.2 defines the problem addressed. Lastly Section 1.7 describes the structure of this thesis, serving as a roadmap for the reader. </p><p>1.1 Motivation </p><p>Interconnected computers are subject to constant attacks from people wanting to exploit the processing power, gain access to information, or to have fun. Preventing and detecting such attacks is important to assure a certain level of integrity and privacy for computing systems. Since methods employed by attackers become more and more sophisticated, we have a continuous arms race between defenders and attackers. </p><p>Common goals of the attacker include; to make sure that the legitimate users or system administrators are unaware of their system being compromised, and when administrator privileges are obtained, to maintain and keep this privileged access in the foreseeable future. A commonly used method achieving these goals is the use of a rootkit. A rootkit is a collection of tools, which allows an intruder to hide his presence and maintain his access. </p><p>Two types of rootkits exist; user-mode rootkits and kernel-mode rootkits. A usermode rootkit modifies critical system level binaries and programs, while a kernel-mode </p><p>1</p><p></p><ul style="display: flex;"><li style="flex:1">2</li><li style="flex:1">Chapter 1. Introduction </li></ul><p></p><p>rootkit replaces or modifies the operating systems kernel. Kernel-mode rootkits are harder to detect than user-mode rootkits. They operate on a low level and hence user-mode inspection tools are unable to detect such rootkits. This makes the kernelmode rootkit a very powerful tool. Further, rootkits have become more user-friendly as blackhat hackers<sup style="top: -0.3298em;">1 </sup>have applied user interfaces allowing not so well-informed intruders, or script kiddies, to apply the rootkit easily. These advantages have made kernel-mode rootkits very popular, and they have become common in a high percentage of the intrusions reported, implying administrator level access [39]. </p>
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages141 Page
-
File Size-