Kenfe-Mickaël Laventure Laurent Malvert Macquarie University 2008-11-12 LEMONA Linux Enhanced...
-
Upload
daniel-lang -
Category
Documents
-
view
218 -
download
0
description
Transcript of Kenfe-Mickaël Laventure Laurent Malvert Macquarie University 2008-11-12 LEMONA Linux Enhanced...
Kenfe-Mickaël LaventureLaurent Malvert
Macquarie University2008-11-12
LEMONALinux Enhanced Monitoring
Architecture
Linux zest for security
Lemona – Linux Enhanced Monitoring Architecture 2 2008-11-12 Laventure / Malvert
Outline• Lemona
– Project– Overview– Architecture– Workflow– Code Review
• Macros• Structures• Mixers• Blades
– Build– Load / Unload
• References
Lemona – Linux Enhanced Monitoring Architecture 3 2008-11-12 Laventure / Malvert
Lemona > Project
• Open Architecture– Open Protocols– Open Source Implementation
• Decentralized– Local Tracing Components– Remote Monitoring Components
• Prevention, Detection, Forensics, Recovery– Possible…?
Lemona – Linux Enhanced Monitoring Architecture 4 2008-11-12 Laventure / Malvert
Lemona > Overview
• Exhaustiveness– Kernel Land Tracer 100% User Land Coverage
• Integrity– Harder to bypass Would require Kernel Level code– Integrity Checks
• Flexible– Variable Granularity Levels– Selectable Hooks
Lemona – Linux Enhanced Monitoring Architecture 5 2008-11-12 Laventure / Malvert
Lemona > Architecture
Inside Attackers
Outside Attackers
TargetStorage Point
Forensics Tools
Lemona tracestransmission
Architecture >Architecture >
^̂Workflow / HooksWorkflow / Hooks
Lemona – Linux Enhanced Monitoring Architecture 6 2008-11-12 Laventure / Malvert
Lemona > Workflow
Lemona – Linux Enhanced Monitoring Architecture 8 2008-11-12 Laventure / Malvert
Lemona > Code Review
• Lemona– Statically compiled; or– Loaded as a Linux Kernel Module
• Mixers– Definitions of structures and function pointers– to record system call activity
• Blades– Predefined functions to process system calls’ parameters
• Zests– Custom structures to transfer and store records
Lemona – Linux Enhanced Monitoring Architecture 9 2008-11-12 Laventure / Malvert
Lemona > Macrosextern atomic_t lemona_activated;static lemonalogfn _lemona_log = NULL;
# define lemona_block_start \ if (atomic_read(&lemona_activated) != 0) \ {
# define lemona_log_in(sysnr, argnr, extnr, ...) \ __lemona_log(sysnr, true, argnr, extnr, ## __VA_ARGS__)
# define lemona_log_out(sysnr, argnr, extnr, ...) \ __lemona_log(sysnr, false, argnr, extnr, ## __VA_ARGS__)
# define lemona_block_end \ }
\ else {
\ _lemona_log = NULL; \ }
#define __lemona_log(sysnr, in, argnr, extnr, ...) { \ if (_lemona_log == NULL) \ _lemona_log = (lemonalogfn)kallsyms_lookup_name("lemona_log"); \ _lemona_log(sysnr, in, argnr, extnr, ## __VA_ARGS__); \}
Lemona – Linux Enhanced Monitoring Architecture 10 2008-11-12 Laventure / Malvert
Lemona > Macroslemona_block_start { lemona_log_in(__NR_open, 3, 0, filename, &flags, &mode);} lemona_block_end;
preprocessing (CPP)
if (atomic_read(&lemona_activated) != 0) { if (_lemona_log == NULL) _lemona_log = (lemonalogfn)kallsyms_lookup_name("lemona_log"); _lemona_log(__NR_open, true, 3, 0, filename, &flags, &mode); }else { _lemona_log = NULL; }
Lemona – Linux Enhanced Monitoring Architecture 11 2008-11-12 Laventure / Malvert
Lemona > Structuresstruct lemona_zest { char magic[4];/* magic number */ int size; /* size taken by this zest and args sz/value */
int in; /* input or output ? */ struct timespectime; /* call start/end time (getnstimeofday) */
pid_t pid; /* actual pid */ pid_t tgid; /* thread group id */
uid_t uid,euid,fsuid; /* user identification numbers */ gid_t gid,egid,fsgid; /* group identification numbers */
int sysnr; /* syscall id */ int argnr; /* number of args */
int *argsz; /* ptr to an array of int giving each arg size */ void *args; /* ptr to the first argument of the array */
int extnr; /* extra value number */ int *extsz; /* size of each extension */ void *exts; /* extra values. located after the last arg */} __attribute__((packed));
Lemona – Linux Enhanced Monitoring Architecture 12 2008-11-12 Laventure / Malvert
Lemona > Structuresstruct lemona_mixer { int sysnr; /* system call number */ struct __lemona_mixer in; /* call entrance mixer */ struct __lemona_mixer out; /* call exit mixer */}
struct __lemona_mixer { int argnr; /* number of syscall parameters */ int extnr; /* number of extra parameters */ struct __lemona_mixer_handler handlers[6]; /* pre-defined handlers */};
struct __lemona_mixer_handler { bool dual; /* is this a dual blade? */ bladefn blade; /* number of extra parameters */};
typedef int (*bladefn)(struct lemona_zest *zest, /* zest to fill */ int isExt, /* is an extra? */ int idx, /* which arg/ext?*/ int off, /* memory offset */ void *fruit1, /* 1st data arg */ void *fruit2);/* 2nd data arg */
Lemona – Linux Enhanced Monitoring Architecture 13 2008-11-12 Laventure / Malvert
Lemona > Mixersconst struct lemona_mixer lemona_mixers[]= { /* ... */ { .sysnr = __NR_open, .in = { .argnr = 3, .extnr = 0, .handlers = {
{ .dual = false , .blade = lemona_blade_string_null},{ .dual = false , .blade = lemona_blade_integer},{ .dual = false , .blade = lemona_blade_integer},
} }, .out = { .argnr = 1, .extnr = 1, .handlers = {
{ .dual = false , .blade = lemona_blade_integer},{ .dual = false , .blade = lemona_blade_string_fd},
}, } }, /* ... */};
Lemona – Linux Enhanced Monitoring Architecture 14 2008-11-12 Laventure / Malvert
Lemona > Blades
• (blades/generics.c) Generics int lemona_blade_integer(...);int lemona_blade_integer64(...);int lemona_blade_long(...);int lemona_blade_long_long(...);int lemona_blade_output_buffer(...);
• (blades/strings.c) Stringsint lemona_blade_string_null(...);int lemona_blade_string_fd(...);
• (blades/iovec.c) Input/Output Vectorsint lemona_blade_iovec(...);
Lemona – Linux Enhanced Monitoring Architecture 15 2008-11-12 Laventure / Malvert
Lemona > Build
$> cd $(PATH_TO_KERNEL_SRC)$> wget http://lemona.googlecode.com/svn/trunk/patchs/patch-2.6.26.3$> patch -p1 < patch-2.6.26.3$> make menuconfig$> make && makes modules_install && make install
Lemona – Linux Enhanced Monitoring Architecture 16 2008-11-12 Laventure / Malvert
Lemona > Load / Unload
$> cd $(PATH_TO_MODULES)$> sudo insmod ./lemona.ko$> dmesg | tail -2 -==Lemona==- Initialization for kernel tree 2.6.26.3... -==Lemona==- Done.$> sudo rmmod lemona$> dmesg | tail -2 -==Lemona==- Uninitializing... -==Lemona==- Done.
Lemona – Linux Enhanced Monitoring Architecture 17 2008-11-12 Laventure / Malvert
Outline• Security and Forensics
– Forensics– Computer Security– Computer Forensics
• Related Work
• Lemona– Project– Overview– Architecture
• References
Lemona – Linux Enhanced Monitoring Architecture 18 2008-11-12 Laventure / Malvert
References
[home] http://lemona.googlecode.com/
[blog] http://lemona-project.blogspot.com/
[wiki] http://lemona.googlecode.com/wiki/
[SCM] http://lemona.googlecode.com/svn/
[group] http://groups.google.com/group/lemona/