linux-rootkit

presentation.tex (12995B)

---

 \documentclass{i20lecture}
 \usepackage{listings}
 
 \subtitle{LiveDM --- Proof of Concept}
 
 \begin{document}
 
 \frame{\titlepage}
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \section{Agenda}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}{\insertsection}
   \begin{enumerate}
    \item Background
     \begin{itemize}
         \item Dynamic Kernel Memory
         \item LiveDM
     \end{itemize}
     \item Approach
     \item Results
     \item Discussion / Questions
   \end{enumerate}
 \end{frame}
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \section{Background}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}{\insertsection}
   \framesubtitle{Dynamic Kernel Memory}
 
   \begin{itemize}
     \item Dynamic kernel memory is...
     \begin{itemize}
 \pause
     \item ...hard to make sense of -- usually, no type information is available
 \pause
 	\item ...constantly changing -- it's dynamic, after all
 \pause
     \item ...difficult to analyze!
     \end{itemize}
 \pause
     \item How can we make analysis easier?
   \end{itemize}
 \end{frame}
 
 \begin{frame}{\insertsection}
   \framesubtitle{LiveDM --- Overview}
 
   \begin{itemize}
 	\item LiveDM seeks to overcome these issues through Virtual Machine Introspection (VMI)
 	\pause
 	\begin{itemize}
 		\item Monitor the runtime state of a VM
 		\pause
 		\item Without altering the guest OS
 	\end{itemize}
 \pause
     \item Memory allocation events can be intercepted
 \pause
     \item Going from there, LiveDM is able to create a memory map
 	\begin{itemize}
 		\pause
 		\item This map includes type information!
 	\end{itemize}
   \end{itemize}
 \end{frame}
 
 \begin{frame}{\insertsection}
   \framesubtitle{LiveDM --- Overview}
 
   \begin{itemize}
     \item Three distinct stages to create the mapping:
     \begin{enumerate}
 \pause
      \item Gathering of necessary values
 \pause
      \item Determining the scope of memory monitoring
 \pause
      \item Performing type interpretation
     \end{enumerate}
   \end{itemize}
 \end{frame}
 
 \begin{frame}{\insertsection}
   \framesubtitle{LiveDM --- Stage 1}
 
   \begin{itemize}
     \item Stage 1 is comprised of...
     \begin{itemize}
      \item ...intercepting a set of memory allocation/deallocation functions
 \pause
      \item ...retrieving the requested allocation size, as well as the return value
 \pause
 	 \item ...identifying the caller (call site) through the stack's return address
     \end{itemize}
   \end{itemize}
 \end{frame}
 
 \begin{frame}{\insertsection}
   \framesubtitle{LiveDM --- Stage 2}
 
   \begin{itemize}
     \item In stage 2, the scope of memory monitoring is chosen
     \begin{itemize}
 \pause
      \item Offer snapshots of the memory map (containing type and size for allocated memory)
      \begin{itemize}
 		 \item We offer this in our PoC (\lstinline|rk-print-mem| and \lstinline|rk-data <address>|)
      \end{itemize}
 \pause
 	 \item Trace every memory (write) access on known (vulnerable) memory blocks
      \begin{itemize}
       \item We are able to showcase this in a small demo
      \end{itemize}
     \end{itemize}
   \end{itemize}
 \end{frame}
 
 \begin{frame}{\insertsection}
   \framesubtitle{LiveDM --- Stage 3}
 
   \begin{itemize}
     \item In stage 3, the caller's address is translated into a type
 \pause
     \begin{itemize}
      \item Relies on instrumenting GCC to retrieve abstract syntax tree (AST)
     \end{itemize}
   \end{itemize}
 \end{frame}
 
 \begin{frame}{\insertsection}
   \framesubtitle{LiveDM --- Motivation}
 
   \begin{itemize}
     \item Why do we need this information? Possible answers include...
     \begin{enumerate}
 \pause
      \item To make dynamic memory less transparent
 \pause
      \item To utilize this information for debugging
 \pause
      \item \textcolor{yellow}{To utilize this information for rootkit detection}
     \end{enumerate}
   \end{itemize}
 \end{frame}
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \section{Approach}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}{\insertsection}
   \begin{enumerate}
    \item Background
     \item Approach
     \begin{itemize}
         \item Tools
         \item Implementing stage 1 --- Gathering of necessary values
         \item Implementing stage 3 --- Performing type interpretation
         \item Implementing stage 2 --- Determining the scope of memory monitoring
     \end{itemize}
     \item Results
     \item Discussion / Questions
   \end{enumerate}
 \end{frame}
 
 \begin{frame}{\insertsection}
   \framesubtitle{Tools}
 
   \begin{itemize}
    \item Since introspection techniques are required, we need a VMM
 \pause
     \begin{itemize}
     \item Xen
     \item KVM
 	\item \textcolor{yellow}{QEMU} (in vivo introspection using GDB)
     \item ...
     \end{itemize}
   \end{itemize}
 \end{frame}
 
 \begin{frame}{\insertsection}
   \framesubtitle{Implementing stage 1 --- Gathering of necessary values}
 
     \begin{itemize}
 	\item Intercepting allocations is easy: non-blocking \textbf{breakpoints}
      \begin{itemize}
 \pause
       \item Break on function entry and exit
         \begin{itemize}
 \pause
 			\item At entry we extract allocation size
 			\item At exit we extract return value (base address of allocation)
         \end{itemize}
 \pause
       \item Has a significant performance overhead, but system is still usable
 \pause
       \item Possible improvement: hardware breakpoints
 \pause
         \begin{itemize}
 			\item Limited to a small amount
         \end{itemize}
      \end{itemize}
     \end{itemize}
 \end{frame}
 
 \begin{frame}[fragile]{\insertsection}
   \framesubtitle{Implementing stage 1 --- Gathering of necessary values}
 
     \begin{itemize}
      \item To retrieve the size and return value of each allocation, we can rely on the System V calling convention
 \pause
      \begin{itemize}
       \item As the size is not always the first argument, we build a dictionary:
      \end{itemize}
     \end{itemize}
     \begin{lstlisting}
     break_arg = {
         "kmem_cache_alloc_trace": "rdx",
         "kmalloc_order": "rdi"
         [...]
     }
     \end{lstlisting}
 \pause
 	\begin{itemize}
 	\item[]
 	\begin{itemize}
 		\item Return values are gathered by additionally breaking on return instructions
 		\pause
 		\begin{itemize}
 			\item Look for \lstinline|ret{,q}| instruction's offset from function entry in the disassembly
 			\pause
 			\item Break on \lstinline|<function entry> + <ret offset>|
 			\pause
 			\item Retrieve return value from \lstinline|$rax|
 		\end{itemize}
 	\end{itemize}
 	\end{itemize}
 \end{frame}
 
 \begin{frame}[fragile]{\insertsection}
   \framesubtitle{Implementing stage 3 --- Performing type interpretation}
     \begin{itemize}
      \item Translation of call sites to types
 	 \pause
      \item Possible approaches:
      \begin{itemize}
 \pause
       \item Instrumenting \lstinline|gcc| to extract AST (LiveDM)
 \pause
       \item Use \lstinline|clang| to generate an AST
 \pause
 	  \item \textcolor{yellow}{Utilize GDB's \lstinline|whatis| command to statically pre-compute type dictionary}
      \end{itemize}
     \end{itemize}
 \end{frame}
 
 \begin{frame}[fragile]{\insertsection}
   \framesubtitle{Implementing stage 3 --- Performing type interpretation}
     \begin{itemize}
      \item Process for statically generating the type dictionary: \footnote{Fully automated, since specific to kernel sources version, build options, and compiler optimizations}
 \pause
      \begin{enumerate}
       \item Find all occurences of function calls we are interested in using \lstinline|cscope|
 \pause
       \item Iterate over the generated occurences
 \pause
       \item Extract the assigned-to symbol name at call site
 \pause
       \item Execute \lstinline|whatis| on every assigned-to symbol
       \begin{itemize}
 \pause
        \item Assumption: debug symbols for current kernel sources are available
 \pause
        \item Compound type access chains (e.g., \lstinline|desc->inbuf|) have to be recursively resolved
 	\pause
 	   \item We only require the type of the last dereferenced field, as that is what's being assigned to
       \end{itemize}
 \pause
       \item Store the results in a dictionary
 \pause
       \item Use this precompiled type dictionary in our runtime script
 \pause
      \end{enumerate}
     \end{itemize}
     \begin{lstlisting}
      "./arch/x86/kernel/e820.c:675": "type = struct e820_table *",
      "./arch/x86/kernel/e820.c:681": "type = struct e820_table *",
 	 [...]
     \end{lstlisting}
 \end{frame}
 
 \begin{frame}[fragile]{\insertsection}
   \framesubtitle{Implementing stage 3 --- Performing type interpretation}
     \begin{itemize}
      \item Once a breakpoint is encountered, we can walk the stack with gdb...
     \end{itemize}
 \pause
     \begin{lstlisting}
     #0  __kmalloc (size=168, flags=6291456) at ./mm/slub.c:3784
     #1  0xffffffffa9384095 in kmalloc (flags=<optimized out>, size=<optimized out>) at ./include/linux/slab.h:520
     #2  bio_alloc_bioset (gfp_mask=6291456, nr_iovecs=<optimized out>, bs=0x0) at ./block/bio.c:452
     \end{lstlisting}
 \pause
     \begin{itemize}
      \item ...and match the \lstinline|file:line| descriptor to a type without expensive computations
     \end{itemize}
 \end{frame}
 
 \begin{frame}[fragile]{\insertsection}
   \framesubtitle{Implementing stage 2 --- Determining the scope of memory monitoring}
 
     \begin{enumerate}
      \item Snapshot-based approach
 \pause
      \begin{itemize}
       \item Since we already store everything gathered, this is readily available
 \pause
       \item Live allocations can be listed with \lstinline|rk-print-mem| and interpreted with \lstinline|rk-data <address>|:
      \end{itemize}
     \end{enumerate}
     \begin{lstlisting}
     > rk-print-mem
 	  type: struct task_struct *, size: 3776 B, address: 0xffff8e72b87ce740, call site: ./kernel/fork.c:807
 	  type: struct fdtable *, size: 56 B, address: 0xffff8e72b84104c0, call site: ./fs/file.c:111
     \end{lstlisting}
     \begin{lstlisting}
 	> rk-data 0xffff8e72b84104c0
 	  resolving 0xffff8e72b84104c0 to type = struct fdtable *
 
 	  $17 = {
 	    max_fds = 256,
 	    fd = 0xffff8e72b8ea4800,
 	    close_on_exec = 0xffff8e72b8411800,
 	    open_fds = 0xffff8e72b84117e0,
 	    full_fds_bits = 0xffff8e72b8411820,
 	    rcu = {
 	  	next = 0x0,
 	  	func = 0x0
 	    }
 	  }
     \end{lstlisting}
 \end{frame}
 
 \begin{frame}[fragile]{\insertsection}
   \framesubtitle{Implementing stage 2 --- Determining the scope of memory monitoring}
 
     \begin{enumerate}
      \setcounter{enumi}{1}
      \item Memory-access tracing
 \pause
     \begin{itemize}
      \item Would require some advanced techniques (e.g., page unmapping) for full coverage
 \pause
     \item Not feasible within the given time frame
 \pause
     \item Instead, we will demonstrate a small example based on \textit{hardware} watchpoints
 		\begin{itemize}
 		  \item Warn when critical values are written to traced blocks
 		\end{itemize}
     \end{itemize}
     \end{enumerate}
 \end{frame}
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \section{Results}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 
 \begin{frame}[fragile]{\insertsection}
   \framesubtitle{Demo 1 - Allocation \& Deallocation}
     \begin{itemize}
      \item We will demonstrate the output in a running system now:
      \end{itemize}
      \begin{lstlisting}
       Allocating ('type = struct elf64_phdr *', 616, './fs/binfmt_elf.c:441') at 0xffff8d96b8857000
       Allocating ('type = char *', 28, './fs/binfmt_elf.c:762') at 0xffff8d96ba5d98e0
       Allocating ('type = struct elf64_phdr *', 504, './fs/binfmt_elf.c:441') at 0xffff8d96bb4b1e00
       Allocating ('type = void *', 168, './block/bio.c:452') at 0xffff8d96ba14bcc0
 
      \end{lstlisting}
 
 \end{frame}
 
 \begin{frame}[fragile]{\insertsection}
   \framesubtitle{Demo 2 - Rootkit Detection}
     \begin{itemize}
      \item We will demonstrate the rootkit detection in a running system now:
      \end{itemize}
      \begin{lstlisting}
         //inside the vm, rootkit is loaded
         > make_me_root
      \end{lstlisting}
      \begin{lstlisting}
         ((((struct task_struct *)0xffff8d96bb6849c0)->real_cred)->uid) changed from val = 1000 to val = 0
         WARNING: critical value 0 set to ((((struct task_struct *)0xffff8d96bb6849c0)->real_cred)->uid)
 
      \end{lstlisting}
      
 
 \end{frame}
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \section{Discussion / Questions}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}{\insertsection}
   \begin{center}
     \LARGE \dots
   \end{center}
 \end{frame}
 
 
 
 \end{document}