Presentation is loading. Please wait.

Presentation is loading. Please wait.

Undermining the Linux Kernel: Malicious Code Injection via /dev/mem

Published byBenny Hadiman Modified over 5 years ago

Similar presentations

Presentation on theme: "Undermining the Linux Kernel: Malicious Code Injection via /dev/mem"— Presentation transcript:

1 Undermining the Linux Kernel: Malicious Code Injection via /dev/mem
Anthony Lineberry SCALE 7x 2009

2 Introduction Security Researcher for Flexilis
Experience in reverse engineering/exploit development Active in Open Source kernel development (non- mainstream kernel)

3 Overview What is a rootkit? Why is protection difficult?
Current protection mechanisms/bypasses Injection via /dev/mem Fun things to do once you’re in Proposed solutions

4 Part I Rootkit?

5 What is a rootkit? Way to maintain access (regain “root” after successful exploitation) Hide files, processes, etc Control activity File I/O Network Keystroke Logger

6 Types of rootkits User-Land (Ring 3)
Trojaned Binaries (oldest trick in the book) Binary patching Source code modification Process Injection/Thread Injection PTRACE_ATTACH, SIGNAL injection Does not affect stability of system

7 Types of rootkits Kernel-Land (Ring 0) Kernel Modules/Drivers
Hot Patching memory directly! (we’ll get to that ;)

8 Why are rootkits hard to defend against?
Part II Why are rootkits hard to defend against?

9 Why so hard? Most modern rootkits live in the kernel Kernel is God
Impractical to check EVERYTHING inside kernel Speed hits Built in security can be circumvented by more kernel code (if an attacker can get code in, game over)

10 Current Rootkit Defense
Part III Current Rootkit Defense

11 Current Defense Checking Tables in kernel (sys_call_table, IDT, etc)
Compares tables against known good Can be bypassed by creating duplicate table to use rather than modifying the main table

12 Current Defense Hashes/Code Signing In kernel In userland
Hash critical sections of code Require signed kernel modules In userland Hashes of system binaries Tripwire, etc Signed binaries File System Integrity

13 Current Defense Non-Modularity
Main suggested end all way to stop kernel space rootkits (obviously this is a fail) /dev/kmem was previously used in a similar fashion, but read/write access has since been closed off in kernel mainline

14 Code Injection via /dev/mem
Part IV Code Injection via /dev/mem

15 What is /dev/mem? /dev/mem Who needs this?
Driver interface to physically addressable memory. lseek() to offset in “file” = offset in physical mem EG: Offset 0x = Physical Address 0x100000 Reads/Writes like a regular character device Who needs this? X Server (Video Memory & Control Registers) DOSEmu

16 Hijacking the kernel Kernel addressing is virtual. How do we translate to physical addresses?

17 Address Translation Find a Page Table Directory (stored in cr3 register) Finding one is harder done than said We can cheat because of how the kernel is mapped

18 Address Translation Higher half GDT loading concept applies
Bootloader trick to use Virtual Addresses along with GDT in unprotected mode to resolve physical addresses. Kernel usually loaded at 0x (1MB) in physical memory Mapped to 0xC (3GB+1MB) Virtually

19 Address Translation 0x40000000 + 0xC0100000 = 0x00100000
GDT Base Address + 0xC Kernel Virtual Address = 0x Physical Address

20 Address Translation Obviously over thinking that…
No need to wrap around 32bit address, just subtract. 0xC – 0xC = 0x100000

21 Hijacking the kernel #define KERN_START 0xC int read_virt(unsigned long addr, void *buf, unsigned int len) { if(addr < KERN_START) return -1; /* addr is now physical address */ addr -= KERN_START; lseek(memfd, addr, SEEK_START); return read(memfd, buf, len); }

22 Useful structures Determine offset to important structures
IDT sys_call_table kmalloc() Where are they?

23 IDT Interrupt Descriptor Table (IDT)
Table of interrupt handlers/call gates 0x80’th handler entry = Syscall Interrupt IDTR holds structure with address of IDT Get/Set IDTR with LIDT/SIDT assembly instructions Unlike LIDT instruction, SIDT is not protected and can be executed from user space to get IDT address.

24 IDTR IDTR Structure struct { uint32_t base; uint16_t limit; } idtr;
Base Address (4 btyes) Limit (2 bytes) struct { uint32_t base; uint16_t limit; } idtr; __asm__(“sidt %0” : “=m”(idtr));

25 IDT Entry IDT Entry (8 bytes) 16 31 Low 16bits of Handler Address
16 31 Low 16bits of Handler Address Code Segment Selector Flags High 16bits of Handler Address

26 IDT IDT idtr.base

27 IDT IDT idtr.base idtr.base + (0x80 * 8) Entry for Syscall Interrupt

28 IDT IDT idtr.base idtr.base + (0x80 * 8) Entry for Syscall Interrupt
system_call()

29 System Calls system_call() – Main entry point for system calls
sys_call_table – Array of function pointers sys_read(), sys_write(), etc

30 System Calls Syscall Number stored in EAX register
call ptr 0x????????(eax,4) 0x???????? Is the address of sys_call_table Opcode for instruction: FF ?? ?? ?? ?? Read in memory at system_call(), search for byte sequence “\xFF\x14\x85”. Next 4 following bytes are address of sys_call_table!

31 Hijacking the kernel Now we can: What now? Find IDT
Find system_call() handler function Use simple heuristic to find address of sys_call_table What now? Overwrite system calls with our own code!

32 Hijacking the kernel Where do we put our code?
Need to allocate space in the kernel We can locate __kmalloc() inside the kernel and use that.

33 Hijacking the kernel Finding __kmalloc() Use heuristics
push GFP_KERNEL push SIZE call __kmalloc Find kernel symbol table Search for “\0__kmalloc\0” in memory Find reference to address of above sequence then subtract 4 bytes from location

34 Hijacking the kernel How can we allocate kernel memory from userspace?
Overwrite a system call with code to call __kmalloc()

35 Function Clobbering sys_uname() Backup Buffer sys_call_table
__NR_uname __kmalloc stub push $0xD0 ;GFP_KERNEL push $0x1000 ; 4k mov 0xc , %ecx call %ecx ret

36 Function Clobbering sys_uname() Backup Buffer sys_call_table 100 bytes
__NR_uname __kmalloc stub push $0xD0 ;GFP_KERNEL push $0x1000 ; 4k mov 0xc , %ecx call %ecx ret

37 Function Clobbering sys_uname() Backup Buffer sys_call_table 100 bytes
__NR_uname __kmalloc stub push $0xD0 ;GFP_KERNEL push $0x1000 ; 4k mov 0xc , %ecx call %ecx ret

38 Function Clobbering sys_uname() Backup Buffer sys_call_table 100 bytes
__kmalloc stub __NR_uname

39 Hijacking the kernel Call sys_uname()
unsigned long kernel_buf; __asm__(“mov $122, %%eax \n” “int $0x \n” “mov %%eax, %0 ” : “=r”(kernel_buf)); Address of buffer allocated in kernel space returned by syscall in EAX register

40 Fun things to do inside the kernel
Part V Fun things to do inside the kernel

41 Hijacking the kernel Recap:
read/write anywhere in memory with /dev/mem sys_call_table Kernel allocation capabilities Time to have fun!

42 Hijacking the kernel What can we do?
Use our kernel buffers we allocated to store raw executable code. Overwrite function pointers in kernel with address of our allocated buffers sys_call_table entries, page fault handler code Setup code to use Debug registers to “hook” system call table

43 Hijacking the kernel What can we do with our injected code?
Anything most other rootkits can do. Hide files, processes, etc Control network activity Limitations All injected code must usually be handwritten assembly Some structures/functions can be difficult to locate in memory

44 Solutions/Mitigation
Part V Solutions/Mitigation

45 Solutions Why does a legitimate user process need access to read anything from above 16k in physical memory? Modify mem driver to disallow lseeks past 16k SELinux has created a patch to address this problem (RHEL and Fedora kernels are safe) Would like to see this limition applied to main kernel source

46 Questions?

Download ppt "Undermining the Linux Kernel: Malicious Code Injection via /dev/mem"

Similar presentations

USERSPACE I/O Reporter: R98922086 張凱富.

USERSPACE I/O Reporter: R 張凱富.
R4 Dynamically loading processes. Overview R4 is closely related to R3, much of what you have written for R3 applies to R4 In R3, we executed procedures.

R4 Dynamically loading processes. Overview R4 is closely related to R3, much of what you have written for R3 applies to R4 In R3, we executed procedures.
ITEC 352 Lecture 27 Memory(4). Review Questions? Cache control –L1/L2  Main memory example –Formulas for hits.

ITEC 352 Lecture 27 Memory(4). Review Questions? Cache control –L1/L2  Main memory example –Formulas for hits.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October 23 2003.

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October
Windows Security and Rootkits Mike Willard January 2007.

Windows Security and Rootkits Mike Willard January 2007.
X86 segmentation, page tables, and interrupts 3/17/08 Frans Kaashoek MIT

X86 segmentation, page tables, and interrupts 3/17/08 Frans Kaashoek MIT
Memory Management (II)

Memory Management (II)
Introduction to Kernel

Introduction to Kernel
16.317 Microprocessor Systems Design I Instructor: Dr. Michael Geiger Fall 2012 Lecture 15: Protected mode intro.

Microprocessor Systems Design I Instructor: Dr. Michael Geiger Fall 2012 Lecture 15: Protected mode intro.
UNIT 2 Memory Management Unit and Segment Description and Paging

UNIT 2 Memory Management Unit and Segment Description and Paging
Architecture Support for OS CSCI 444/544 Operating Systems Fall 2008.

Architecture Support for OS CSCI 444/544 Operating Systems Fall 2008.
Chapter 8 – Main Memory (Pgs 315 - 350). Overview  Everything to do with memory is complicated by the fact that more than 1 program can be in memory.

Chapter 8 – Main Memory (Pgs ). Overview  Everything to do with memory is complicated by the fact that more than 1 program can be in memory.
Operating Systems Lecture 7 OS Potpourri Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of Software.

Operating Systems Lecture 7 OS Potpourri Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of Software.
Virtual Memory Review Goal: give illusion of a large memory Allow many processes to share single memory Strategy Break physical memory up into blocks (pages)

Virtual Memory Review Goal: give illusion of a large memory Allow many processes to share single memory Strategy Break physical memory up into blocks (pages)
Operating Systems Lecture 3. 11 November 2015© Copyright Virtual University of Pakistan 2 Agenda for Today Review of previous lecture Hardware (I/O, memory,

Operating Systems Lecture November 2015© Copyright Virtual University of Pakistan 2 Agenda for Today Review of previous lecture Hardware (I/O, memory,
Enforcing Modularity Junehwa Song CS KAIST. Network Computing Lab. How to run multiple modules? Emacs X server Mail Reader File Server.

Enforcing Modularity Junehwa Song CS KAIST. Network Computing Lab. How to run multiple modules? Emacs X server Mail Reader File Server.
Operating Systems Security

Operating Systems Security
EFLAG Register of The 80486 The only new flag bit is the AC alignment check, used to indicate that the microprocessor has accessed a word at an odd.

EFLAG Register of The The only new flag bit is the AC alignment check, used to indicate that the microprocessor has accessed a word at an odd.
10. Epilogue ENGI 3655 Lab Sessions.  We took control of the computer as early as possible, right after the end of the BIOS  Our multi-stage bootloader.

10. Epilogue ENGI 3655 Lab Sessions.  We took control of the computer as early as possible, right after the end of the BIOS  Our multi-stage bootloader.

Similar presentations

Ads by Google